Data Protection Policy

Data Protection Policy

Published: April 2024

4/23/2024 12:10:36 PM
Network 1168 X 657

Data Protection Policy

Date approved:

March 2024

Review period:

Annual

Date of next review:

March 2025

Owner:

Chief Operating Officer

 

Approval:

Now Teach Board

Scope:

All Now Teach employees

Disclaimer:

This Policy document has been prepared by Now Teach and is based on information available as of the date above.  No representation or warranty as to the accuracy or completeness of any information contained herein is given by or on behalf of Now Teach or any of its personnel and no liability whatsoever (whether direct, indirect, incidental, special, consequential, punitive or otherwise) is accepted for any loss arising from any use of such information. The information contained herein does not purport to be complete and is subject (in whole or in part) to updating, completion, revision, amendment and verification.  Where policy and procedures set out in this document conflict with policy and procedures set out in any other Now Teach document(s), Now Teach shall determine which is the most appropriate policy and procedures to apply in the circumstances, subject to any rights of appeal which may be available to any person.  

Now Teach is registered in England and Wales as a [company limited by guarantee] (Registered Office: 4 Bloomsbury Square, London, WC1A 2RP; Company Registration No: 11872096).  Now Teach is also registered in England and Wales as a charity (Registered Office: 4 Bloomsbury Square, London, WC1A 2RP; Charity Registration No: 1189146).

Definitions 

In this document the terms below are understood as follows:

Data Controller - the legal person or organization who decides what personal information will be processed (Now Teach)

The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, replaced the Data Protection Directive on 25th May 2018

Data Protection Officer - the person responsible for ensuring that Now Teach follows its data protection policy and complies with the General Data Protection Regulation 

Individual - the person whose personal information is being held or processed by Now Teach e.g. Applicants and Participants in Now Teach Network, Staff Members and volunteers

Explicit Consent - a freely given, specific and informed agreement by individuals in relation to the processing of personal information about them. Explicit consent is needed for the processing of sensitive data

Processing - collecting, amending, handling, storing or disclosing personal information

Personal Information - information about living individuals that enables them to be identified e.g. name and address. It does not apply to information about organisations, companies or agencies but applies to named persons such as Applicants to and Participants in the Now Teach Network, Staff Members, Trustees, consultants, contributors and volunteers

Sensitive Data - refers to data about racial or ethnic origin, political affiliations, religion or similar beliefs, trade union membership, physical or mental health, sexuality, criminal records or proceedings.

  1. Purpose
    • Now Teach collects and uses certain types of information about the individuals who come into contact with Now Teach in order to carry out its work. This personal data could be collected on paper, stored in a computer database, or recorded on other material. This policy is intended to ensure that personal data is dealt with properly and securely and in accordance with the General Data Protection Regulation (‘GDPR’) and other legislation.
    • The GDPR applies to all computerised data and manual files if they come within the definition of a filing system. Broadly speaking, a filing system is one where the data is structured in some way that is searchable on the basis of specific criteria (so you would be able to use something like the individual’s name to find their information), and if this is the case, it does not matter whether the information is located in a different physical location.
    • This policy will be updated as necessary to reflect best practice, or amendments made to data protection legislation, and shall be reviewed every year.
    • This Data Protection Policy, also known as our Personal Data Privacy Standard, does not form part of any employee’s contract of employment and it may be amended at any time. We may also vary elements, such as any time limits, as appropriate in any case. Any breach of this policy will be taken seriously and may result in disciplinary action.
  1. Who is covered by this policy
    • This policy applies to all employees, directors and other officers, workers and agency workers, volunteers and interns.
    • We also require in any contracts with third parties who may have access to any Personal Data, such as consultants, contractors or suppliers, that they comply with this policy. We will ensure they are given access to a copy.
    • All individuals covered in sections 2.1 and 2.2 are referred to as ‘staff’ in this policy.

 

  1. Who is responsible for this policy
    • Our Data Protection Officer is responsible for ensuring compliance with UK GDPR and with this policy.

Data Protection Officer: Adam Simmons, Data and Insight Manager, dataprotection@nowteach.org.uk

In the absence of the DPO the COO should be contacted with any data protection queries.

3.2  While we ask all managers to work with the Privacy Officer to make sure this policy is complied with, its successful operation also depends on all employees. All Now Teach employees must take the time to read and understand it, and to go back to their manager or Data Protection Officer with any questions you may have. References to Directors in this policy mean the most senior people within our organisation.

  1. Roles and Responsibilities
    • Now Teach
      • Now Teach is responsible for any data that it controls.
      • Now Teach must be compliant with GDPR and data protection.
      • Now Teach will ensure any personal data is only shared within the organisation on a need-to-know basis.
      • Now Teach will ensure that all personal data is stored securely, namely on our CRM and employee database
      • Now Teach staff are made aware of this policy and given training at the start of their employment.
    • Employees
      • Staff are responsible for ensuring any personal data we collect and store relating to our Now Teachers is stored securely on our CRM
      • All data subjects should be aware that we collect their personal data for the purpose of delivering the programme to them

Staff should ensure that any additional personal data should only be collected and processed if we have consent.

  1. Definition of Data Protection terms
    • Personal Data in this policy is personal data about an individual who can be directly or indirectly identified from that information. Personal Data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal).
    • Data Subjects for the purpose of this policy include all living individuals about whom we hold Personal Data. A Data Subject need not be a UK national or resident. Individuals should be allowed to exercise their rights in relation to their Personal Data, and Personal Data about them should be made available to individuals who request it.
    • Data Controllers are the people who or organisations that determine the purposes for which, and the manner in which, any Personal Data is processed. They have a responsibility to establish practices and policies in line with relevant laws. We are the Data Controller of all Personal Data used in our business.
    • Data Users include staff whose work involves using Personal Data. Data Users have a duty to protect the Personal Data they handle by following our policies relating to the protection and security of Personal Data at all times. All staff have a responsibility, when using Personal Data, to comply with any security safeguards and procedures we put in place.
    • Data Processors include any people who or organisations that process Personal Data on behalf of a Data Controller. Employees of Data Controllers are excluded from this definition, but it could include third-party suppliers which handle Personal Data on our behalf.
    • Processing is almost any activity that involves use of Personal Data. It includes obtaining, recording or holding Personal Data, or carrying out any operation or set of operations on Personal Data, including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Personal Data to third parties.
    • Special Categories of Data are sensitive categories of Personal Data about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition, sexual life, or sexual orientation. It also includes genetic and biometric Data (where used for ID purposes). Special Categories of Data can only be processed under strict conditions, and may require the explicit consent of the person concerned.
    • Criminal Offence Data is Personal Data that relates to an individual’s criminal convictions and offences. It can only be processed under strict conditions, and may require the explicit consent of the person concerned.
    • Data Breach is any act or omission which compromises the security, confidentiality, integrity or availability of Personal Data, or the safeguards that we or a third party put in place to protect the Personal Data, including losing the Personal Data or disclosing it to unauthorised people.

 

  1. Personal data
    • ‘Personal data’ is information that identifies an individual and includes information that would identify an individual to the person to whom it is disclosed because of any special knowledge that they have or can obtain. A sub-set of personal data is known as ‘special category personal data’. This special category data is information that reveals:
      • Race or ethnic origin
      • Political opinions
      • Religious or philosophical beliefs
      • Trade union membership
      • Physical or mental health
      • An individual’s sex life or sexual orientation
      • Genetic or biometric data for the purpose of uniquely identifying that natural person
    • Special Category Data is given special protection, and additional safeguards apply if this information is to be collected and used.
    • Information relating to criminal convictions shall only be held and processed where there is legal authority to do so.
    • Now Teach does not intend to seek or hold Special Category Data (previously known as sensitive personal data) about staff, applicants or participants except where we have been notified of the information, or it comes to our attention via legitimate means (e.g. a grievance) or needs to be sought and held in compliance with a legal obligation or as a matter of good practice. Staff, applicants and participants are under no obligation to disclose to us their race or ethnic origin, political or religious beliefs, whether or not they are a trade union member or details of their sexual life (save to the extent that details of marital status and / or parenthood are needed for other purposes, e.g. pension entitlements).
  1. Data protection principles
    • The eight data protection principles as laid down in the GDPR are followed at all times:
      • Personal data shall be processed fairly, lawfully and in a transparent manner, and processing shall not be lawful unless one of the processing conditions can be met;
      • Personal data shall be collected for specific, explicit, and legitimate purposes, and shall not be further processed in a manner incompatible with those purposes (purpose limitation);
      • Personal data shall be adequate, relevant, and limited to what is necessary for the purpose(s) for which it is being processed (data minimisation);
      • Personal data shall be accurate and, where necessary, kept up to date, (accuracy);
      • Personal data processed for any purpose(s) shall not be kept in a form which permits identification of individuals for longer than is necessary for that purpose / those purposes (storage limitation);
      • Personal data shall be processed in such a way that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (security, integrity and confidentiality);
      • Not transferred to another country without appropriate safeguards being in place (transfer limitation), and
      • Processed in line with Data Subjects’ rights (Data Subject’s Rights and Requests).
    • Now Teach is committed to ensuring that at all times, anyone dealing with personal data shall be mindful of the individual’s rights under the law.
    • Now Teach is committed to complying with the principles in 7.1 at all times (Accountability). This means that Now Teach will:
      • Inform individuals about how and why we process their personal data through the privacy notices which we issue;
      • Be responsible for checking the quality and accuracy of the information;
      • Regularly review the records held to ensure that information is not held longer than is necessary, and that it has been held in accordance with the data retention schedule;
      • Ensure that when information is authorised for disposal it is done appropriately;
      • Ensure appropriate security measures to safeguard personal information whether it is held in paper files or on our computer system, and follow the relevant security policy requirements at all times;
      • Share personal information with others only when it is necessary and legally appropriate to do so;
      • Set out clear procedures for responding to requests for access to personal information known as subject access requests;
      • Report any breaches of the GDPR in accordance with the procedure in paragraph 15 below.
  1. Conditions for processing in the first Data Protection principle
    • The individual has given consent that is specific to the particular type of processing activity, and that consent is informed, unambiguous and freely given.
    • The processing is necessary for the performance of a contract, to which the individual is a party, or is necessary for the purpose of taking steps with regards to entering into a contract with the individual, at their request.
    • The processing is necessary for the performance of a legal obligation to which we are subject.
    • The processing is necessary to protect the vital interests of the individual or another.
    • The processing is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us.
    • Outside of fulfilling our public task, the processing is necessary for a legitimate interest of Now Teach or that of a third party, except where this interest is overridden by the rights and freedoms of the individual concerned.
  1. Use of Personal data
    • Now Teach collects and processes personal data on applicants, potential applicants, participants in the programme, individuals affiliated with partner organisations and supporters. In each case, the personal data must be processed in accordance with the data protection principles as outlined in paragraph 7.1 above.
    • The personal data for applicants and participants includes name, email address, postal address, date of birth, and any other details explicitly provided; for example, details about career and experience.
    • The personal data for staff includes contact details, employment history, and information relating to career progression.
    • Staff should note that information about disciplinary action may be kept for longer than the duration of the sanction. Although treated as “spent” once the period of the sanction has expired, the details of the incident may need to be kept for a longer period.
  1. Security of personal data
    • Now Teach will take reasonable steps to ensure that its members of staff will only have access to personal data where it is necessary for them to carry out their duties.
    • All staff will be made aware of this Policy and their duties under the GDPR. Now Teach will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorised persons.
  1. Disclosure of personal data to third parties
    • The following list includes the most usual reasons that Now Teach will authorise disclosure of personal data to a third party:
      • To give a confidential reference relating to a current or former employee or volunteer
      • for the prevention or detection of crime;
      • for the assessment of any tax or duty;
      • for administration of pensions and employee benefits;
      • where it is necessary to exercise a right or obligation conferred or imposed by law upon Now Teach (other than an obligation imposed by contract);
      • for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings);
      • for the purpose of obtaining legal advice;
      • for research, historical and statistical purposes (so long as this neither supports decisions in relation to individuals, nor causes substantial damage or distress);
      • to provide information to the relevant Government Department concerned with national education. At the time of the writing of this Policy, the Government Department concerned with national education is the Department for Education (DfE).
    • Now Teach may receive requests from third parties to disclose personal data it holds. This information will not generally be disclosed unless one of the specific exemptions under data protection legislation which allows disclosure applies; or where necessary, the legitimate interest of the individual concerned.
    • All the requests for disclosure must be sent to the Data Protection Officer who will review and decide whether to make the disclosure, ensuring that reasonable steps are taken to verify the identity of that third party before making disclosure.
  1. Subject access request
    • Anybody who makes a request to see any personal information held about them by Now Teach is making a subject access request. All information relating to the individual, including that held in electronic or manual files should be considered for disclosure, provided that they constitute a “filing system” (see clause 1.2).
    • The individual’s full subject access right is to know:
      • Whether personal data about him or her are being processed.
      • The purposes of the processing
      • The categories of personal data concerned
      • The recipients or categories of recipient to whom their personal data have been or will be disclosed
      • The envisaged period for which the data will be stored or where that is not possible, the criteria used to determine how long the data are stored
      • The existence of a right to request rectification or erasure of personal data or restriction of processing or to object to the processing
      • The right to lodge a complaint with the Information Commissioner’s Office
      • Where the personal data are not collected from the individual, any available information as to their source
      • Details of the safeguards in place for any transfers of their data to locations outside the European Economic Area
    • All requests should be sent to dataprotection@nowteach.org.uk within 3 working days of receipt, and must be dealt with in full without delay and at the latest within one month of receipt.
    • A subject access request must be made in writing. Now Teach may ask for any further information reasonably required to locate the information and confirm the identity of the individual making the request.
    • An individual only has the automatic right to access information about themselves, and care needs to be taken not to disclose the personal data of third parties where consent has not been given, or where seeking consent would not be reasonable, and it would not be appropriate to release the information. Particular care must be taken in the case of any complaint or dispute to ensure confidentiality is protected.
    • All files must be reviewed by the Data Protection Officer before any disclosure takes place. Access will not be granted before this review has taken place.
    • Where all the data in a document cannot be disclosed a permanent copy should be made and the data obscured or retyped if this is more sensible. A copy of the full document and the altered document should be retained, with the reason why the document was altered.
  1. Exemptions to access by data subjects
    • Where a claim to legal professional privilege could be maintained in legal proceedings, the information is likely to be exempt from disclosure unless the privilege is waived.
    • There are other exemptions from the right of subject access. If we intend to apply any of them to a request then we will always explain which exemption is being applied and why.
  1. Other rights of individuals
    • Now Teach has an obligation to comply with the rights of individuals under the law, and takes these rights seriously. The following section sets out how the NowTeach will comply with the rights to:
      • object to processing;
      • rectification;
      • erasure; and
      • data Portability.

Right to object to processing

  • An individual has the right to object to the processing of their personal data on the grounds of pursuit of a public interest (ground 5.5 above) where they do not believe that those grounds are adequately established.
  • Where such an objection is made, it must be sent to the Data Protection Officer within 2 working days of receipt, who will assess whether there are compelling legitimate grounds to continue processing which override the interests, rights and freedoms of the individuals, or whether the information is required for the establishment, exercise or defence of legal proceedings.
  • The Data Protection Officer shall be responsible for notifying the individual of the outcome of their assessment within twenty of working days of receipt of the objection.

Right to rectification

  • An individual has the right to request the rectification of inaccurate data without undue delay. Where any request for rectification is received, it should be sent to the Data Protection Officer within 2 working days of receipt, and where adequate proof of inaccuracy is given, the data shall be amended as soon as reasonably practicable, and the individual notified.
  • Where there is a dispute as to the accuracy of the data, the request and reasons for refusal shall be noted alongside the data, and communicated to the individual. The individual shall be given the option of a review under the data protection complaints procedure, or an appeal direct to the Information Commissioner.
  • An individual also has a right to have incomplete information completed by providing the missing data, and any information submitted in this way shall be updated without undue delay.

Right to erasure

  • Individuals have a right, in certain circumstances, to have data permanently erased without undue delay. This right arises in the following circumstances:
    • where the personal data is no longer necessary for the purpose or purposes for which it was collected and processed;
    • where consent is withdrawn and there is no other legal basis for the processing;
    • where an objection has been raised under the right to object, and found to be legitimate;
    • where personal data is being unlawfully processed (usually where one of the conditions for processing cannot be met);
    • where there is a legal obligation on Now Teach to delete.
  • The Data Protection Officer will make a decision regarding any application for erasure of personal data, and will balance the request against the exemptions provided for in the law. Where a decision is made to erase the data, and this data has been passed to other data controllers, and / or has been made public, reasonable attempts to inform those controllers of the request shall be made.

Right to restrict processing

  • In the following circumstances, processing of an individual’s personal data may be restricted:
    • where the accuracy of data has been contested, during the period when Now Teach is attempting to verify the accuracy of the data;
    • where processing has been found to be unlawful, and the individual has asked that there be a restriction on processing rather than erasure;
    • where data would normally be deleted, but the individual has requested that their information be kept for the purpose of the establishment, exercise or defence of a legal claim;

Right to portability

  • If an individual wants to send their personal data to another organisation they have a right to request that Now Teach provides their information in a structured, commonly used, and machine readable format. As this right is limited to situations where Now Teach is processing the information on the basis of consent or performance of a contract, the situations in which this right can be exercised will be quite limited. If a request for this is made, it should be forwarded to the Data Protection Officer within 2 working days of receipt, who will review and revert as necessary.
  1. Breach of any requirement of the GDPR
    • Any and all breaches of the GDPR, including a breach of any of the data protection principles shall be reported as soon as it is/they are discovered, to the Data Protection Officer.
    • Once notified, the Data Protection Officer shall assess:
      • the extent of the breach;
      • the risks to the data subjects as a consequence of the breach;
      • any security measures in place that will protect the information;
      • any measures that can be taken immediately to mitigate the risk to the individuals.
    • Unless the Data Protection Officer concludes that there is unlikely to be any risk to individuals from the breach, it must be notified to the Information Commissioner’s Office within 72 hours of the breach having come to the attention of Now Teach, unless a delay can be justified.
      • If determined by the Data Protection Officer that a breach should be reported to the ICO, the CEO, COO and Chair of the Finance and Risk Committee must be informed and kept updated
    • The Information Commissioner shall be told:
      • details of the breach, including the volume of data at risk, and the number and categories of data subjects;
      • the contact point for any enquiries (which shall usually be the Data Protection Officer);
      • the likely consequences of the breach;
      • measures proposed or already taken to address the breach.
    • If the breach is likely to result in a high risk to the rights and freedoms of the affected individuals then the Data Protection Officer shall notify data subjects of the breach without undue delay unless the data would be unintelligible to those not authorised to access it, or measures have been taken to mitigate any risk to the affected individuals.
    • Data subjects shall be told:
      • the nature of the breach;
      • who to contact with any questions;
      • measures taken to mitigate any risks.
    • The Data Protection Officer shall then be responsible for instigating an investigation into the breach, including how it happened, and whether it could have been prevented. Any recommendations for further training or a change in procedure shall be reviewed at board level and a decision made about implementation of those recommendations.
  1. Responding to a request
    • When responding to a request where Now Teach has withheld some or all of the information, Now Teach must explain why the information has been withheld, quoting the appropriate section number and explaining how the information requested fits within that exemption. If the public interest test has been applied, this also needs to be explained.
    • The letter should end by explaining to the requestor how they can complain –either by reference to an internal review by the COOO, or by writing to the ICO.
  1. Contact
    • The Now Teach Data Protection Officer is Adam Simmons
    • As outlined above, Subject Access Requests can be submitted to dataprotection@nowteach.org.uk
    • If anyone has any concerns, questions or complaints in relation to this policy or the publication scheme contained within it they should contact the Chief Operating Officer s at Now Teach.
    • To contact the Data Protection Officer, please email dataprotection@nowteach.org.uk
    • If you are not satisfied with the assistance that you get or if we have not been able to resolve your complaint and you feel that a formal complaint needs to be made then this should be addressed to: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5A, telephone: 0303 123 1113, website: ico.org.uk
  1. Monitoring and review of the policy

We will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives.

  1. Training
    • New employees must read and understand this policy as part of their induction. All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential Data Breach. All employees are trained to protect individuals’ Personal Data to which they have access, to ensure data security and to understand the consequences to themselves and us of any potential breaches of the provisions of this policy.
    • Staff who are not employees will be required to familiarise themselves with this policy and comply with its obligations in relation to the obtaining, handling, processing, storage, transportation and destruction of Personal Data on our behalf.

Appendix 1

Information Available

How the information can be obtained

Charge

Now Teach HQ contact details

Now Teach website

Nowteach.org.uk

No charge

Board of Trustees- names and contact details of Trustees and the basis of their appointment

Charity Commission

https://www.gov.uk/government/organisations/charity-commission

No charge

Annual financial statements, capital funding and income generation for prior year

Charity Commission

https://www.gov.uk/government/organisations/charity-commission

No Charge

Statutory accounts

Charity Commission

https://www.gov.uk/government/organisations/charity-commission

No Charge

Now Teach policies

Now Teach

Chief Operating Officer – info@nowteach.org.uk

No Charge