Cornerstone College Procedure

The processing of all data:

Cornerstone College shall always have a legitimate reason for the collecting and storing of data (for example to provide information to the Department of Education’s annual census) and will always ensure that the processing of data has no adverse effect on any individual. It will be transparent in processing data and where appropriate inform individuals through a ‘privacy notice’ that their personal information is being processed.

The processing of all data must be:

• Necessary to deliver our services
• In our legitimate interests and not unduly prejudice the individual’s privacy
• In most cases this provision will apply to routine College data processing activities.

Privacy Notice

Cornerstone College’s terms of business contains a Privacy Notice to students, staff, contractors and all other individuals dealing with the College on data protection.

The notice:

• Sets out the purposes for which we hold personal data on students  and employees
• Highlights that our work may require us to give information to third parties such as professional advisers and external agencies.
• Provides that students have a right of access to the personal data that we hold about them.

The privacy notice can be found on Cornerstone College’s website.

Sensitive personal data

In most cases where we process sensitive personal data we will require the data subject’s explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work/ Safeguarding etc). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

Sometimes it is necessary to process information about a person’s criminal convictions, race and gender and family details. This may be to ensure that Cornerstone College is a safe place for everyone, or to operate other policies, such as the Equality Opportunities Policy and Child Protection and Safeguarding. The College will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes or disabilities. The College will only use the information for the protection of the health and safety of the individual, but will need consent to process this information, for example in the event of a medical emergency. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students will be asked to give express consent for the College to do this. Offers of employment or course places may be withdrawn if an individual refuses to consent to this without good reason.

Conditions for processing personal data

Before data may be processed one of the following conditions must be met:

1. the individual (data subject) has given their consent
2. the processing is necessary in relation to a contract
3. the processing is necessary because of a legal obligation
4. the processing is necessary to protect the individual’s vital interests
5. the processing is necessary for the administration of justice or other statutory functions
6. any other legitimate interest

Conditions for processing sensitive personal data

Because such information might be used in a discriminatory way, these are more stringent and must include one of the following conditions:

1. the individual has given consent
2. the processing is required by employment law
3. the processing is necessary to protect the vital interests of the individual or third part
4. the individual has made the information public
5. the processing is necessary for statutory reasons
6. the processing is carried out with a third party who is bound by a professional code of conduct (a doctor for example)
7. the processing is required to monitor equal opportunities
8. the processing is necessary to prevent crime or protect the public.

Exemptions

Generally all personal data collected and processed will be subject to the Data Protection Act. However, some exemptions may apply. For example, Cornerstone on occasions will ask for references (a confidential reference given by the College to a third party regarding education, employment/training, appointment to a public office, a service being provided by the data subject etc) that will remain confidential and are exempt from the requirements of the Act. References we have received and kept on file are not exempt. We must, however, ensure that the rights of the referee are considered. Information about the individual referee should not be disclosed without explicit consent (anonymising the information is acceptable). The College cannot refuse to disclose confidential references without providing reasons. Crime and taxation – personal data may have to be disclosed to government departments or the Police. Data will only be released on the basis of properly drawn up requests. Vital interests – personal data may be released if it is in the vital interests of the individual e.g. a medical emergency. Under 19 students – the College will normally release information about a student’s progress and attendance to parents or guardians of students under 19 years of age on the previous 31st August.

Accuracy and relevance

Cornerstone will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the CO.

Your personal data

Employees and students  must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the CO so that they can update your records. Examples of the type of data Cornerstone College may process are set out above in the section titled ‘Definitions, Personal Data’.

Data security

All members of the Cornerstone community must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the CO will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations. For example, payment of pensions and salaries are outsourced to third parties.

Storing data securely

In cases when data is stored on printed paper, it is kept in a secure place where  unauthorised personnel cannot access it. Printed data is shredded when it is no longer needed. Data stored on a computer is protected by strong passwords that are changed regularly. All staff and students use a password manager to create and store their passwords.

Data stored on CDs or memory sticks must be locked away securely when they are not being used.

The CO must approve any cloud used to store data.

Servers containing personal data must be kept in a secure location, away from general office space.

Data should be regularly backed up in line with Cornerstone’s backup procedures.

Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.

All servers containing sensitive data must be approved and protected by security software and strong firewall.

We store all sensitive personal information securely either in locked filing cabinets or in computer files which are password protected.

Our computer network system is protected by a robust firewall which is monitored by our premises manager.

All administrative and teaching staff are trained about the proper use of personal data. For example, they only communicate with clients and persons related to clients through authorized channels. They must properly annotate and store all such communication. They must report all breaches of data security to the CO. They are aware that they may be subject to criminal proceedings should they deliberately try to access or disclose without authority

They are aware of the threat posed by ‘phishing’ emails and hackers.

Although rarely used we ensure that fax transmissions of sensitive data are double checked to ensure the correct telephone number. We should ensure that we are confident of the receiver’s identity and that the receiver is standing by their fax machine. We use cover sheets for all fax transmissions and where appropriate seek other modes of transmission.

Before we dispose of any computer equipment we ensure that there is no data stored within the equipment. The College is committed to keeping our security systems and security software systems up-to-date and has suffered no major incidents at the time of writing this policy.

All staff are aware of the importance of checking credentials.

The premises manager is responsible for maintaining security of access, maintaining security of data and physical protection of data on  our premises.  This includes:

• The proper training of all staff about authorized entry to the building
• Maintenance of our keypad security entry systems
• The proper admission procedure for all guests to the College
• The maintenance of our CCTV system
• Fire Safety

Breaches of security

Cornerstone takes breaches of security seriously. Examples of potential breaches of security can be caused by a number of factors. Some examples are:

–  Loss or theft of student, staff data and/ or equipment on which data is stored;

–  Inappropriate access controls allowing unauthorised use;

–  Equipment Failure;

–  Human Error;

–  Unforeseen circumstances such as fire or flood;

–  Hacking;

–  ‘Blagging’ offences where information is obtained by deception.

Cornerstone aims to carry out the following procedure to mitigate such circumstances:

1. have a data recovery plan
2. proper assessment of risks
3. notify all related parties such as the ICO, relevant data subjects, the police, banks
4. institute a proper procedure of evaluation and response
5. protocol in relation to breach of security is  regularly updated.
6. The computer databases are password-protected.

See Appendix 1 for full Breach of Security Procedure.

Data retention

Cornerstone retains personal data for no longer than is necessary for the purpose for which it was collected. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention guidelines (See Appendix 2) .

Transferring data internationally

There are restrictions on international transfers of personal data which Cornerstone abides by.  Staff and Students are made aware that they must not transfer personal data anywhere outside the UK without first consulting the CO.

Subject access requests

Cornerstone is aware that under the Data Protection Act 2018, individuals are entitled, subject to certain exceptions, to request access to information held about them. Such subject access requests (SARs) should be made to the CO and include contact details and an outline of the specific information required.

Staff who receive a subject access request should refer that request immediately to the CO, who  may ask them to help comply with those requests.

Cornerstone is a paperless organisation and therefore information for SARs will be drawn from data primarily held digitally and/or on paper, excluding safeguarding notes and correspondence, which must be requested separately and will be released at the discretion of the College. The College does not collect information for SARs from Google Chat. All Google Chat content is automatically deleted every 24 hours. The College prohibits using this platform to discuss safeguarding issues, and so on this risk assessed basis the content is not stored for any longer than 24 hours.

Staff and Students may contact the CO if they would like to correct or request information that Cornerstone College holds about them. There are also restrictions on the information to which individuals are entitled under applicable law.

The College aims to comply with subject access requests as quickly as possible, but will ensure that it is provided within a calendar month of receiving the request, unless there is good reason for delay such as redaction of information that relates to other parties. In such cases, the College will inform the data subject in writing of the cause of the delay.

Processing data in accordance with the individual’s rights

Information must be processed consistent with the rights of individuals with regard to processing personal data. These rights include:

1. A right to a copy of all processed information; in this case the individual will make a ‘subject access request’. We understand that information about our students belongs to them so any request for information by a related third party may only be granted with the consent of the student.

This provision is subject to:

1. The student’s maturity
2. The nature of the personal data
3. Any court orders
4. Our duty of confidence to the child
5. The consequences of disclosing the information especially in cases of suspected abuse
6. Any detriment to the student should the third party not have access to the information
7. The views of the student.

A request for information which involves others may be declined unless we have the other’s consent.

1. A right to object to the processing of information. Any such objection must be provided in proper written form and, depending on circumstances defined by the Act, may not always be granted.
2. In certain circumstances a right to have inaccurate information rectified, blocked, erased or destroyed
3. right to claim compensation.
4. A right not to participate in any direct marketing.
5. Secure.

Marketing

Cornerstone will not send direct marketing material to someone electronically (e.g. via email) unless we have an existing business relationship with them in relation to the services being marketed or an understanding that parties have given consent.

All members of the Cornerstone community will contact the CO for advice on direct marketing before starting any new direct marketing activity.

Training

All staff will receive training on this policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.

Training is provided through an in-house seminar on a regular basis. It will cover:

• The law relating to data protection
• Our data protection and related policies and procedures.

Completion of training is compulsory.

It is our policy to develop an understanding of the rights of individuals under the Data Protection Act through internal programmes as well as with training of all teachers and admin staff. Topics would include: What is personal data? How may personal data be used? How should you keep personal data safe? What rights do you have with regard to processing personal data?

Other types of Data not covered by the act.

This is data that does not identify a living individual and therefore is not covered by the remit of the Data Protection Act; this may fall under other access to information procedures.  This would include:

• Plans (where no individual pupil is named),
• Teaching Resources,
• Other information about the College which does not relate to an individual.

Some of this data would be available publically (for instance the diary for the forthcoming year), and some of this may need to be protected by the College. For example, if the Cornerstone has written a detailed scheme of work that it wishes to sell to other Colleges).  Cornerstone may choose to protect some data in this category but there is no legal requirement to do so.

Privacy Notice – transparency of data protection

Being transparent and providing accessible information to individuals about how we will use their personal data is important for Cornerstone.  The following are details on how we collect data and what we will do with it:

What information is being collected?

Who is collecting it?

How is it collected?

Why is it being collected?

How will it be used?

Who will it be shared with?

Identity and contact details of any data controllers

Details of transfers to third country and safeguards

Retention period

Conditions for processing

Cornerstone will ensure that  any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.

Justification for holding personal personal data

Cornerstone will process personal data in compliance with all eight data protection principles as stated in this policy.

Cornerstone will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.

Consent

The data that Cornerstone collects  is subject to active consent by the data subject. This consent can be revoked at any time.  However, Cornerstone reserves the right to process data where consent may not be obtained in line with competing statutory duties; for example in accordance with Cornerstone’s duty of care in relation to safeguarding; see Child Protection and Safeguarding Policy and Procedure and exemptions clause above.

Criminal record checks

Any criminal record checks are justified by law as an education provider.

Data portability

Upon request, a data subject should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system. This must be done for free.

Right to be forgotten

A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.

Privacy by design and default

Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The CO will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan.

When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

International data transfers

No data may be transferred outside of the EEA without first discussing it with the CO. Specific consent from the data subject must be obtained prior to transferring their data outside the EEA.

Data audit and register

Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.

Reporting breaches

All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:

• Investigate the failure and take remedial steps if necessary
• Maintain a register of compliance failures
• Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures

Monitoring

All Students and staff must observe this policy. The CO has overall responsibility for this policy. They will monitor it regularly to make sure it is being adhered to.

All staff and students are responsible for the following:

• Checking that any information that they provide to the Cornerstone in connection with their employment is accurate and up to date  informing the College of any changes to or errors in information, which they have provided, i.e. changes of address.
• They must ensure that changes of address, etc are notified to the admin staff. The College cannot be held responsible for any such errors unless the staff member or student has informed the Cornerstone of them.
• If and when, as part of their responsibilities, staff collect information about other people, for example, about students’ coursework, opinions about ability, references to other academic institutions, or details of personal circumstances), they must comply with this policy.

Consequences of failing to comply

Cornerstone takes compliance with this policy very seriously. Failure to comply puts both you and the organisation at risk.

The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.

Surveillance

Cornerstone acknowledges its data protection obligations in relation to CCTV. It adopts, where applicable the ICO’s code of practice.

This section also serves as a notice and a guide to data subjects (including pupils, parents, staff, volunteers, visitors to the College and members of the public) regarding their rights in relation to personal data recorded via the CCTV system.

All fixed cameras are in plain sight on  premises and Cornerstone does not routinely use CCTV for covert monitoring or monitoring of private property outside the  College.

Data captured for the purposes below will not be used for any commercial purpose.

Objectives of the System :

• To protect pupils, staff, volunteers, visitors and members of the public with regard to their personal safety.
• To protect the College buildings and equipment, and the personal property of pupils, staff, volunteers, visitors and members of the public.
• To support the police in preventing and detecting crime, and assist in the identification and apprehension of offenders.
• To monitor the security of the site.
• To monitor staff and contractors when carrying out work duties.
• To promote good behaviour of students.

Locations have been selected that the College reasonably believes require monitoring to address the stated objectives.

Warning signs are placed in prominent positions to inform anyone entering the area, such as pupils, staff, volunteers, visitors and members of the public that they are entering a monitored area, identifying the College as the Data Controller and giving contact details for further information regarding the system.

No images will be captured from areas in which individuals would have a heightened expectation of privacy, including changing and washroom facilities.

Maintenance

The CCTV system will be operational 24 hours a day, every day of the year.

The System Manager (defined below) will check and confirm that the system is properly recording and that cameras are functioning correctly, on a regular basis.

The system will be checked and (to the extent necessary) serviced, annually.

Supervision of the System

Staff authorised by Cornerstone to conduct routine supervision of the System may include:

Images will be viewed and/or monitored in a suitable environment where it is unlikely they will be accessed or inadvertently viewed by unauthorised persons.

Storage of Data

The system is administered and managed by Cornerstone, who will act as the Data Controller. The day-to-day management of images will be the responsibility of the IT Services Manager who will act as the System Manager, or such suitable person as the System Manager.

Images will be stored for two weeks, and automatically over-written unless Cornerstone considers it reasonably necessary for the pursuit of the objectives outlined above, or if lawfully required by an appropriate third party such as the police or local authority.

Where such data is retained, it will be retained in accordance with the Act and our Data Protection Policy. Information including the date, time and length of the recording, as well as the locations covered and groups or individuals recorded, will be recorded in the system log book.

Access to Images

Access to stored CCTV images will only be given to authorised persons, under the supervision of the System Manager, in pursuance of the above objectives (or if there is some other overriding and lawful reason to grant such access).

The System Manager must satisfy themselves of the identity of any person wishing to view stored images or access the system and the legitimacy of the request. The following are examples when the System Manager may authorise access to CCTV images:

• Where required to do so by the  Principal, the Police or some relevant statutory authority and in accordance with the law;
• To make a report regarding suspected criminal behaviour;
• To enable the Designated Safeguarding Lead or his/her appointed deputy to examine behaviour which may give rise to any reasonable safeguarding concern;
• To assist the College in establishing facts in cases of unacceptable student behaviour, in which case the parents/guardian will be informed as part of the College’s management of a particular incident;
• To data subjects (or their legal representatives) pursuant to an access request under the Act provided that the time, date and location of the recordings is furnished to the College (see the Data Protection Policy); 6.2.6 To the College’s insurance company where required in order to pursue a claim for damage done to insured property;
• In any other circumstances required under law or regulation.

Where images are disclosed aforementioned above a record will be made in the system log including the person viewing the images, the time of access, the reason for viewing the images, the details of images viewed and a crime incident number (if applicable).

Where images are provided to third parties  above, wherever practicable steps will be taken to obscure images of non-relevant individuals.

Other CCTV systems

Cornerstone may be provided by third parties with CCTV images and will manage these in accordance with the College’s own Data Protection Policy and/or Behaviour policy.

For example, many pupils travel on coaches provided by third party contractors and a number of these coaches are equipped with CCTV systems. Cornerstone  may use these in establishing facts in cases of unacceptable student behaviour, in which case the parents/guardian will be informed as part of the College’s  management of a particular incident.  Parents are informed of this as part of the Coach Service Registration document, to which they agree when registering their son or daughter for the coach service.