Data Protection Policy
Last Revised August 2020
Contents:
A. POLICY
B. GUIDANCE NOTES FOR FREELANCERS
Appendices:
- Processing Personal Data
- Part 1 – Use of Student Personal Data
- Part 2 – Use of Freelancers Personal Data
- Retention of Personal Data
- Subject Access
DATA PROTECTION POLICY
Set out below is the policy and code of practice on data protection, which accords with the General Data Protection Regulation 2016 (GDPR).
The code falls into two sections.
The first constitutes a statement of general policy, which includes an indication of the school’s obligations under the Regulation.
The second section provides guidance notes in connection with handling personal data.
A. POLICY
Introduction
1. The school needs to process certain information about its employees, students
and other individuals, examples of which are set out in paragraph 7 below. In so doing,
Basingstoke Academy of Dancing must comply with the General Data Protection Regulation 2016 [GDPR].
The Act contains eight basic principles, which state that personal data must:
- be obtained and processed fairly and lawfully and shall not be processed unless
certain conditions are met
- be obtained for a specified and lawful purpose and shall not be processed in any
manner incompatible with that purpose
- be adequate, relevant and not excessive for those purposes
- be accurate and kept up to date
- not be kept for longer than is necessary for that purpose
- be processed in accordance with the data subject’s rights
- be kept safe from unauthorised access, accidental loss or destruction
- not be transferred to a country outside the European Economic Area, unless that
country has equivalent levels of protection for personal data.
2. Two of the main features of the Act are that:
- it places restrictions on what the school can do with personal data; certain conditions, which include obtaining data subject consent, must be met before processing can take place. The term ‘processing’ covers almost anything that is done to data by reference to individuals and the practical implications of these restrictions are wide-ranging
- it extends the right of access for Freelancers and students to personal data that relates to them held in computerised systems to include ‘organised’
-
- manual filing systems within departments, services and the centre. (There is no entitlement to immediate or on-site access, but the Act places a responsibility on the Institution to respond to access requests in good time)
- to this end, all data subject access requests will be handled centrally.
- The Institution and all Freelancers or others who process or use any personal information must ensure that the data protection principles and the law under the Act are followed and fully implemented. To facilitate this, Basingstoke Academy of Dancing has developed a code of practice on data protection. The references to personal data made within this document apply to all data held on individuals within Basingstoke Academy of Dancing not just students and Freelancers.
3. Status of the Policy:
- This policy forms part of the formal contract of engagement for Freelancers and part of the formal agreement between students and Basingstoke Academy of Dancing. Freelancers, and where appropriate students, must abide by this policy and any failure to comply with the code could result in disciplinary proceedings.
- Those with ‘Visitor’ status will also be expected to comply with this policy insofar as they come into contact with personal data through the Basingstoke Academy of Dancing and in connection with the provision of their own personal data.
- Freelancers or students who consider that the policy has not been followed in respect of personal data should raise the matter with the Basingstoke Academy of Dancing Studio Manager or Principal. If the matter is not resolved it should be raised under the appropriate grievance or complaints procedures.
What is personal data?
- Personal data is information about a living individual, who is identifiable by the information, or who could be identified by the information combined with other data, which Basingstoke Academy of Dancing has or may have in the future. This includes names and addresses, features such as hair and eye colour – which will often be in the form of photographs – student attendance records and marks, ethnic origin, qualifications and experience, details about Freelancers sick and annual leave, dates of birth or marital status. Furthermore, any recorded opinion about or intentions regarding a person are also personal data; and this includes both student progress reports and Freelancers review reports.
- The Act covers ALL personal data processed by the school, irrespective of whether these are held by individual members of Freelancers in their own separate files or in the school’s records system.
- The Act distinguishes between ordinary personal data such as name, address and telephone number and sensitive personal data including information relating to racial or ethnic origin, political opinions, religious beliefs, health, sex life and criminal convictions. Under the Act the processing of sensitive data is subject to much stricter conditions. Processing of sensitive data requires explicit consent. However, in most instances consent to process ordinary and sensitive data is obtained routinely by the Institution (see paragraphs 13 – 14 below).
Electronic data
Electronically-held data is already covered by the 1984 Act
- For the avoidance of doubt, this data encompasses not just personal data held on databases but, for example, emails, letters and other documents held electronically.
4. Manual filing systems
The new Act covers ‘relevant’ manual filing systems, which may have the following
characteristics:
- grouping within a common criterion, even if not physically kept in the same file or drawer
- structuring by reference to the individual by name, number, student cohort, degree scheme or other mechanism, or by criteria common to individuals, such as sickness, type of job, membership of pension scheme or department
- and, most pertinently of all, structuring that allows specific information about the individual to be readily accessible.
- In practical terms it is prudent to assume that most manual filing systems fall under the provisions of the Act with effect from October 2001.
Subject Consent
- In many cases, the school can process personal data only with the consent of the individual. In some cases, if the data are sensitive, explicit consent must be obtained. The Institution has a duty, under certain circumstances, to ensure that Freelancers are suitable for the job, and students for the courses offered. On occasion, police checks will be required to verify criminal records. (There are, for example, some jobs or courses which will bring the applicants into contact with children). Where this is relevant to the job, the Institution may also ask for information about particular health circumstances.
- As noted above, in most instances Freelancers – and where appropriate, students – will not need to obtain consent to process from data subjects because such consent is obtained routinely by the Institution. All Freelancers and students are asked to signify their consent to the Institution processing both ordinary and sensitive personal data on application for the purposes of processing that application. Upon student registration or acceptance of an offer of engagement, students and Freelancers are asked to give consent to processing a wider range of data. Agreement to the school processing this personal data is a condition of acceptance of a student onto any course and a condition of engagement for Freelancers; a refusal to provide consent may result in discontinuance of the application. Further information on this point is set out in Appendix I.
Retention of Data
- It is not in the interest either of data subjects or of the Institution to retain unnecessary or duplicated information. Basingstoke Academy of Dancing does, however, retain some data relating to former Freelancers and students – most of which is held in the Basingstoke Academy of Dancing.
- Archive – partly to comply with statutory requirements but also as a way of maintaining a complete historical record. Nonetheless, it is Basingstoke Academy of Dancing’s policy to discourage the retention of personal data within files for longer than it is needed.
- Freelancers are encouraged to work towards the guidelines for the retention of personal data and files forwarded to the Archive should be ‘weeded’ beforehand in accordance with this guidance.
5.Access to data
- Freelancers, students and others in contact with the Institution will on most occasions have the right to access personal data that is being kept about them either on computer or in ‘relevant’ manual files. This will normally be provided in the form of copies of the personal data or a report of the data held, depending on the type and format of the original data. Any person who wishes to exercise this right should complete the access request form (see Appendix III) and forward it to the Studio Manager or Principal.
- Where required to do so under the Act, the Institution aims to comply with requests for access to personal information from data subjects as quickly as possible but will ensure that it is provided within 7 days from the date of the request.
Freelancers obligations
- Freelancers have responsibilities for processing personal data about students (and in some instances, colleagues) but are also data subjects in their own right. In connection with personal data on students and colleagues, all Freelancers must comply with Basingstoke Academy of Dancing guidelines on data protection. In connection with their own personal data, all Freelancers should:
- ensure that any information that they provide to Basingstoke Academy of Dancing in connection withtheir engagement is accurate and up to date
- inform Basingstoke Academy of Dancing of any changes for which they are responsible, for example, changes of address (the Institution cannot be held accountable for errors arising from changes about which it has not been informed).
Student obligations
- Students/Parents must ensure that all personal data provided to the Institution are accurate and up to date. They must ensure that any changes, of address, for example, are notified to the Studio Manger or Principal (Basingstoke Academy of Dancing cannot be held accountable for errors arising from changes about which it has not been informed).
Data Security
All Freelancers must ensure that:
- any personal data which they hold are kept securely
- personal information is not disclosed either orally or in writing, intentionally or otherwise to any unauthorised third party.
- Freelancers should note that unauthorised disclosure may be a disciplinary matter, and could be considered gross misconduct in certain cases.
- Freelancers should make reasonable efforts to ensure that all personal information is kept securely but should pay attention to the security of sensitive data. All personal data should be accessible only by those who need to use it and sensitive data must be either kept in a lockable room with controlled access, or:
- kept in a locked filing cabinet, or
- in a locked drawer, or
- if computerised, be password protected, or
- kept only on electronic media which is kept securely.
- Off-site use of personal data presents a potentially greater risk of loss, theft or damage to personal data; and the institutional and personal liability that may accrue from the off-site use of personal data is similarly increased. Freelancers should take care when laptop computers or personal machines are used to process personal data at home or in other locations outside the school; and Freelancers should also be aware that this code of practice and their responsibilities under it apply when data are processed under such circumstances.
Conclusion
- Compliance with the 1998 Act is the responsibility of all members of the Institution.
- Any breach of the data protection policy may lead to disciplinary action being taken, or access to Basingstoke Academy of Dancing facilities being withdrawn, or even a criminal prosecution by third parties. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Studio Manager or Principal.
Further information
B. GUIDANCE NOTES FOR FREELANCERS
- In addition to their responsibilities for processing personal data about students (and in some instances, colleagues), Freelancers are also data subjects in their own right. Most Freelancers process personal data about students on a regular basis, when marking registers, or assessments, writing reports or references, as part of a pastoral or academic supervisory role, or in connection with the student administration, including registration, fees, grants, awards, prizes and matters connected with academic appeals and student discipline. Freelancers frequently also process information about other Freelancers, especially in the context of recruitment and internal procedures, including those for promotion, disciplinary matters and appeals.
- The School will ensure that all students/Parents give their consent to processing ordinary and sensitive personal data via registration procedures, and that they are notified of the categories of processing as required by the 1998 Act.
- All Freelancers have a duty to make sure that they comply with the data protection principles, which are set out in Basingstoke Academy of Dancing’s Data Protection Policy.
- In particular, Freelancers must ensure that records are:
- accurate;
- up-to-date;
- fair;
- kept and disposed of safely, and in accordance with the School’s policy.
- All Freelancers, including non-contracted Freelancers, will be responsible for ensuring that data is kept securely.
- Freelancers must not disclose personal data to a third party unless:
- the type of data disclosed, and the party or parties to whom it is disclosed, are among those for which consent is sought routinely by the School (as set out in the sections on the use of personal data relating to Freelancers and students in Appendix I), or
- if disclosure for such data is not sought routinely, the member of Freelancers or student concerned has otherwise given consent to the disclosure, or
- disclosure is in the best interests of the student or member of Freelancers or a third person, or is otherwise urgent and necessary in the circumstances, or is required in compliance with the law.
- Third party disclosure under the final bullet point of the previous paragraph should occur only in very limited circumstances (for example, if personal data is required urgently where a member of Freelancers or student is injured and unconscious, but in need of medical attention).
- Where disclosure is requested by the police, without exception, the matter should be referred to Studio Manager or Principal.
- Where a member of Freelancers is in doubt about how to proceed on third party disclosure, he or she should contact either the Studio Manager or Principal.
Freelancers Checklist for Processing Data
Before processing any personal data, all Freelancers should consider the checklist set out below.
- do you really need to record the information?
- is the information ‘ordinary’ or is it ‘sensitive’ (see paragraph 9 above)?
- does the Institution have the data subject’s consent, i.e. is it included in the sections on the use of personal data relating to Freelancers and students set out in Appendix I
- are you authorised to collect/store/process the data?
- unless the data have been obtained from a reliable source, have you checked with the data subject that the data is accurate?
- are you sure that the data are secure?
- if you do not have the data subject’s consent to process, are you satisfied that it is in the best interests of the student or the Freelancers member to collect and retain the data?
Access requests
The GDPR gives individuals the right to access data held about them by the Institution. However, this is not an entitlement to immediate access – the School has seven days in which to comply with data subject access requests – and Freelancers should forward all such requests to the Studio Manager or Principal. The new regulation also means that any recorded opinion about or intentions regarding a person are also personal data to which a data subject may gain access. This should be borne in mind when written or other records are made (and this includes e-mails and audio recordings, in addition to computer and manual files) and when files are weeded for unnecessary or duplicative material. The following is a useful test to apply to ‘doubtful’ comments:
- Is this comment fair, accurate and justifiable?
- If I were to show this to the data subject, would I still be confident that the comment is fair, accurate and justifiable?
If the answer to the questions – and in particular the first question – is ‘No’, then the
comment should go unrecorded.
Access rights also mean that the confidentiality of references provided either
internally or for external bodies can no longer be assumed. Again, this should be
borne in mind when references are drawn up and in general terms the information
provided in references should:
- confirm the accuracy of or provide factual information
- differentiate between statements of fact and opinion
- express only justifiable opinions, based on first-hand experience
- be fair and accurate
- avoid ambiguous or coded language.
Inappropriate data should neither be recorded nor retained and, needless to say,
once a data subject has requested access, data relating to him/her must not be
‘weeded’.
APPENDICES
Appendix I. Processing Personal Data
Introduction
In most instances Freelancers – and where appropriate, students – will not need to obtain consent to process from data subjects because such consent is obtained routinely by the school.
The data for which consent to process may be considered as having been obtained are
set out below.
Part I sets out the use of student personal data.
Part II sets out the use of Freelancers personal data.
Part 1 – Use of Student Personal Data
The Institution wishes to make it clear to all students/Parents how their personal data (including certain sensitive (1) data) will be processed by the school.
The lists contained below does not preclude the school from processing personal data
that is included within its registered use under the Data Protection Act or in any other way allowed under the law.
All students/Parents agree to the Institution processing their personal data for the following purposes, provided that sensitive personal data may be processed only as set out below:
1. Admission, registration.
2. Academic assessment.
3. Administration of appeals, complaints or grievances.
5. The granting of awards.
6. Processing and recovery of accounts and fees.
7. Research and statistical analysis.
8. Host mailing of services or career opportunities that the Institution believes may be of interest to students.
9. Administration of engagement contracts where the student is employed by the school.
10. Administration of the Institution’s Alumni relations (RAD & ISTD)
11. Consideration of the award of scholarships.
12. Administration of such codes of practice and policies as apply to students.
13. Production of photographs of students for display within the School or Website.
All students/Parents agree that their personal data may be processed and released to third parties for the following purposes:
14. To the police or other regulatory body where pursuant to the investigation or disclosure of a potential crime.
15. To close family and the emergency services where there is an emergency situation e.g. illness, serious injury to the student or bereavement.
16. To external examiners for the purposes of assessment.
17. To professional bodies where registration with that body is related to or a requirement.
All students agree to the school processing their sensitive personal data (data about
racial or ethnic origin, physical or mental health, commission or alleged commission of
criminal offences) for the following purposes and for release to the following third parties:
18. To professional bodies where registration with that body is related to or a Requirement.
19. Unless otherwise agreed with the student, within the Institution only, for the
assessment and provision of services to disabled students and for the admission
and administration of student programmes.
20. Where required, to the police or other agencies in connection with particular
programmes of study or prior to certain placements.
Provision of Personal Data to a Third Party
Except as otherwise provided for in the ‘Use of Student Personal Data’ statement set out
above, or unless written authorisation has been provided by the student/parent concerned, the school does not release information that could constitute personal data to any third party (including parents, relatives and friends).
Part II – Use of Freelancers Personal Data
The Institution wishes to make it clear to all members of Freelancers and other workers how the Institution will process their personal data (including certain sensitive (1) data). In essence, in order to function normally, the school needs to process ‘ordinary’ and ‘sensitive’ personal data for engagement-related purposes.
The list shown below does not preclude the Institution from processing personal data that
is included within its registered use under the Data Protection Act or in any other way
allowed under the law.
All members of Freelancers and other workers agree to the Institution processing their personal data for the following purposes:
1. Payment of salary, pension, sickness benefit or other payments due under the
contract of engagement.
2. Monitoring absence or sickness under an absence control or capability policy.
3. Training and development purposes.
4. Management planning.
5. Providing and obtaining references and consultation with external agencies,
including police checks where necessary for the purposes of engagement.
6. To the police or other regulatory body where pursuant to the investigation or
disclosure of a particular crime.
7. Timetable organisation.
8. Administration of Basingstoke Academy of Dancing’s codes of practice and policies.
9. Compliance with any statutory or legal requirement to provide information about
Freelancers or other workers including, for example, statistical returns to external bodies
and Freelancers membership lists to Unions.
10. Administration of Basingstoke Academy of Dancing’s disciplinary and grievance procedures.
11. Production of published Freelancers lists including telephone and e-mail directories for both internal and external use.
12. Production of photographs of Freelancers for display within the School or on the web.
13. To close family and emergency services in the event of an emergency, for example,
illness, serious injury to the member of Freelancers or bereavement.
14.Sensitive personal data includes information relating to racial or ethnic origin,
political opinions, religious beliefs, trade union membership, health, sex life and
criminal convictions.
Appendix II. Retention of Personal Data
UNDER REVIEW
Document and Data Retention Guidelines
1. Notes
(a) The Principal and Studio Manager of the institution has agreed the retention periods identified in this section.
(b) Where a retention period of twelve months is specified, the documents must be retained until the completion of the final audit for the year to which they relate.
(c) Where a retention period of one year is specified, the records must be retained for 1 year after the completion of the final audit for the year to which they relate. Similarly, with 2 years, 6 years etc.
(d) Items marked # are to be shredded at the expiry of the retention period.
(e) Any records not required on a day to day basis should be stored in the School’s archives.
(f) An annual review of documents in store should take place at a convenient time after
completion of the annual audit so that documents no longer required can be destroyed.
(g) The following guide is to be used as a basis to minimum retention periods only. Records may be retained for longer if necessary.
Record | Retention Period |
Financial | 7 years # |
Registration Information Forms (Paper) | 1 year # |
Registration Information Online | 2 years |
Copies Exam Certificates | Indefinitely |
Appendix III.
Subject Access Request Form
1. Details of the person requesting the information:
Full name: …………………………………………………………………………………….
Address: ………………………………………………………………………………………………………………………………………………………………………………………..
………………………………………………………………………………………………..
………………………………………………………………………………………………..
………………………………………………………………………………………………..
Telephone Number: …………………………………………………………………………..
Email: …………………………………………………………………………………………
2. If you are not the Data Subject, you must supply the details of the Data
Subject, together with their written authority to act on their behalf.
Details of the Data Subject (if different from 1. above)
………………………………………………………………………………………………..
………………………………………………………………………………………………..
………………………………………………………………………………………………..
………………………………………………………………………………………………..
3. Please describe any specific document(s) you wish to see below, e.g.
particular report or specific departmental file:
………………………………………………………………………………………………..
………………………………………………………………………………………………..
………………………………………………………………………………………………..
………………………………………………………………………………………………..
If you would like a more general search, indicate below any
sections/departments that you have been in contact with which you would
like to be searched for relevant data:
………………………………………………………………………………………………..
………………………………………………………………………………………………..
………………………………………………………………………………………………..
………………………………………………………………………………………………..
Please note that the institution reserves the right to obscure or suppress information
which may relate to other third parties (under the terms of Section 7 of the Data
Protection Act 1998)
Declaration
I certify that the information given on this application is true, together with relevant documents:
Signed_____________________________________
Dated______________________________________
Documents which much accompany this application are:
i) Evidence of your identity
ii) If you are not the Data Subject – evidence of the Data Subject’s consent to disclose information