This is an overview of our Data and Privacy policies effective from 25th May 2018.
Our full policies are available upon request to email@example.com
- 1. Purpose:
The purpose of this policy is to describe the actions required for The Law Academy to comply with the law in respect of the Personal Data it processes about identifiable living individuals as defined by current Data Protection Legislation (encompassing the EU General Data Protection Regulation, and the UK Data Protection Act 2018). It will also define the good practice required by all staff to protect the company’s stakeholders and the organisation from the consequences of a breach of its responsibilities.
The Law Academy is required to collect and process personal data for the purposes of satisfying administrative, operational and legal obligations, and is committed to a policy of protecting the rights and privacy of in-scope individuals, including employees, clients, suppliers and customers.
The Law Academy acts as a Data Controller under current Data Protection Legislation for employees, and for contractors, consultants, and existing and potential customers where their personal data is held by The Law Academy. The Law Academy also acts as a Data Processor for all personal data processed on behalf of contracted Client Data Controllers.
This Policy enables The Law Academy to:
* Comply with data protection law and follow good practice.
* Protect the rights of staff, clients, suppliers and customers.
* Be open about how it stores and processes individuals’ data.
* Protect itself from the risks of data breach.
- 2. Information gathered and used by The Law Academy
2.1 Prior to enrolment:
We will require students to provide us with the following information prior to enrolment:
- Email address
- Mobile phone number
- Previous qualifications
- Relevant employer details
These details are required to enable us to tailor our pre-enrolment information appointment for you and to ensure you are provided with relevant and useful information when deciding about studying with us.
This information is not shared beyond 2 Directors and the assistant to the Directors. It is securely stored online in a password-controlled environment (Google G Suite).
If you do not enrol during the same academic year, your details are deleted at the end of the academic year in which your enquiry was made.
2.2. During enrolment:
As part of the enrolment process, you will be required to provide online the following information:
- Email address and alternative email address
- UK based home residence address
- Mobile phone number
- Previous law qualifications (if any)
- Medical / education needs if likely to impact on studies and assistance required
- Emergency contact name and mobile number
- Details of current employer (if relevant)
- Current CILEx membership number (if relevant)
- 3. Storage, sharing and retention of your data
Your data is only provided you electronically through our online enquiry and enrolment forms. This data is kept securely in password-controlled Google G Suite accounts only accessed by 2 Directors and the assistant to the Directors.
IT applications and data are held securely in the Google G-Suite cloud and subject to the Data Processing Amendment to G Suite and/or Complementary Product Agreement (Version 2.0).
The technical standards include independent auditors covering data centres, infrastructure and operations. Examples of these audits and standards include: ISO 27001 and ISO 27018:2014. Further details are in the security and compliance whitepaper.
The details under 2.2 are required to enable us to contact and correspond with you, predominantly by email, for your chosen course. Previous qualifications are necessary to ensure you are studying the correct level and units. Medical and education needs are required to enable us to put any additional measures in place to assist with your studies or exams. This information may be shared with your tutors during your studies, but only with your prior consent. An emergency contact person is to ensure we can contact someone on your behalf in case of emergency or illness whilst in class or an exam who has given you consent to provide us with their details.
Employer details are provided by you if your employer is providing us with any funds for your course “Funding Employers”*.
Funding Employers* will be provided with an attendance report at the conclusion of each academic term. This will detail the number of absences you have had during the term and a brief reason you have provided for this. The equivalent for e-learning students will be the number of assessments you have completed during the relevant period of study.
Funding Employers* will also be provided with your exam results if requested.
*The term “Funding employers” includes employers who provide us with the funds for your course, part funds for your course, funds for your course even if this is a loan to you that you must repay to your employer and employers of students studying through an apprenticeship with us.
Your email address will be provided to your tutor(s) for the units you are enrolled to study with us. Tutors are instructed to deleted email addresses once exam results are released at the end of each academic year.
Your data is not shared, sold or rented to any other organisation for marketing or any other purpose.
Our enrolment records are deleted at the end of each academic year and all students must completed a new enrolment record at the outset of each academic year.
We will only hold details of your name, periods of enrolment and exam results while there remains an opportunity for you to study with us. This will enable us to advise you regarding future studies and also can be used for reference purposes you have requested us to provide to third parties.
Data Protection Principles
These principles require that personal information is:-
1. Processed fairly and lawfully.
2. Processed for one or more lawful purposes, and not further processed in any way that is incompatible with the original purpose.
3. Adequate, relevant and not excessive.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Kept for no longer than is necessary for the purpose for which it is being used.
6. Processed in line with the rights of individuals.
7. Kept secure with appropriate technical and organisational measures taken to protect the information.
8. Not transferred outside the European Economic Area (the European Union member states plus Norway, Iceland and Liechtenstein) unless there is adequate protection for the personal information being transferred.
We at the Law Academy aim to employ these principles by ensuring that:-
- Personal information we hold is relevant and necessary to the running of classes, i.e. contact details and any medical or educational special needs of students and contact details, CVs, Proof of qualifications and bank details of teaching consultants.
- When gathering personal information, all individuals are made aware of our data protection policies.
- No information is shared with third parties under any circumstances.
- Databases storing personal information are held on password protected cloud based Google G Suite documents and viewable only by personnel approved by a Director.
- All student information held is deleted after a period of 6 months post completion of all possible qualifications originally anticipated by an individual, unless requested by the individual that the record is held.
- Tutor’s information will be held for a period of 6 years. If requested by HMRC we must disclose any information relating to monies paid within the 6 year period.
Personal Incident/Data Breach Policy
All potential data incidents, whether internal or client related, up to and including full data breaches, are to be reported by all staff as Events of Interest (EOI) to the Managing Director. EOIs are then to be subject to analysis and review for decisions on further action or notifications.
Data Subject Rights Policy
The GDPR details enhanced or new data subject rights as follows:
- Right of Access (Subject Access Requests) – Article 15;
- Right to Rectification – Article 16;
- Right to Erasure – Article 17;
- Right to Restriction – Article 18 and 19;
- Right of Data Portability – Article 20;
- Right to Object – Article 21;
- Rights relating to Auto-Decision Making –Article 22. – Not applicable to The Law Academy
The Law Academy will demonstrate adherence by:
- Responding to all subject access request (SAR) made, in writing to firstname.lastname@example.org, by in-scope data subjects within the required one calendar month response time, subject to any valid exemptions allowed under current Data Protection Legislation;
- Amending, blocking, removing or destroying personal details on request and upon the provision of reasonable and appropriate proof of the need for the action e.g. inaccurate information;
- Ensuring that all Personal Data can be produced in easy machine readable form, where Data Portability is confirmed as applicable under Article 20 GDPR;
- Not undertaking direct marketing to an in-scope data subjects, where the data subject has requested this in writing;
- Ceasing data processing if the data subject can legitimately claim that processing is likely to cause damage or distress;