Privacy Policy

Version: November 2023

Contents:

  1. General
  2. Students
  3. Tutors and Suppliers
  4. Agents and Educational Tour Operators
  5. InTuition Languages Staff

1. General

1.1 Our principles

1.1.1 We do our very best to protect your privacy by using security technology appropriately. This means:

  • We make sure that we have appropriate security measures in place to protect your personal information.
  • We make sure that when we ask another organisation to provide a service for us, they also have appropriate security measures.

1.1.2 We will respect your privacy.

1.1.3 We will collect and use personal information only if we have your permission. We collect different types of information from our clients and suppliers for three reasons:

  • To enable us to provide the services we are contracted to deliver;
  • To help us to monitor and improve the services we offer;
  • If we have specific permission, to market our services to them.

1.1.4 We will be clear as to what information about you we will collect and how we will use it.

1.1.5 We will use your personal information only for the purposes for which it was originally collected.

1.1.6 If we or our service providers transfer any information out of the UK it will only be done with the relevant protections (as stated under UK law) being in place.

1.1.7 Throughout this policy, InTuition Languages Ltd is referred to as ‘we’ or ‘us’. Under each section (Students, Tutors and Suppliers, Agents and Educational Tour Operators and InTuition Languages Employees), the use of ‘you’ refers to the relevant counter-party.

1.2 Your Data Access Rights

1.2.1 You have a right of access to personal data held by us as a data Controller. This right may be exercised by emailing us, telephoning us, or contacting us by mail or via social media.

1.2.2 Your right of access includes the following elements:

  • Your right to be informed of what personal data of yours we hold
  • Your right to request correction of this data
  • Your right to request deletion of this data
  • Your right to object to the inclusion of this data
  • Your right to request that processing of your data be restricted
  • Your right to data portability
  • Your right to data transfer

1.2.3 Further information about your data access rights can be found on the Information Commissioner’s Office website, at https://www.ico.org.uk. Any data access requests should be directed to our Data Protection Manager, who will respond to you within one calendar month at the latest. To update your personal data submitted to us, you may email us at learn@intuitionlang.com.

1.3 Contact Details

Email: learn@intuitionlang.com

Telephone: +44 (0)207 739 4411

Address: Data Protection Manager, InTuition Languages Ltd, 106 Alton House, 27-31 Grange Road, Darlington

1.4 EEA Data Representative

Email: art-27-rep-intuition@rickert.law

Rickert Rechtsanwaltsgesellschaft mbH, Colmantstraße 15, 53115 Bonn, Germany

1.5 Policy Review Dates

Date

Reviewed by

Notes

May 2018

 Director Minor review to ensure GDPR compliance
December 2018 Director Changes made to incorporate Vis-a-Vis online programmes

October 2019

Director

Changes made in preparation for the UK’s exit from the EEA in Jan 2021

June 2021

CEO

Minor review and post-Brexit clarifications

January and March 2022

CEO

Addition of clauses relating to the recording of data for teaching observations

June 2022

CEO

Addition of clauses relating to split bookings

November 2022

CEO

Addition of clauses relating to J2J

January 2023

CEO

Addition of clauses relating to student identity verification

November 2023

CEO

Addition of section for InTuition Staff

1.6 Data Protection

1.6.1 Ensuring the security of stakeholder personal data is our priority at all times.

1.6.2 Personal data is stored digitally. We do not retain paper / hard copies of any personal data.

1.6.3 All personal data is stored either on our Salesforce CRM database, our Microsoft 365 database, or both.

1.6.4 Access to both Salesforce and Microsoft 365 is restricted to appropriately authorised company devices. Two-factor authorisation is required in all cases.

1.7 Breach Notification and Reporting

1.7.1 We report any losses or suspected  breaches of personal data to the UK Information Commissioner (ICO) within 72 hours of becoming aware of the breach.

1.7.2 Furthermore, when the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, we notify the affected individuals without undue delay.

2. Students

How we use your information

2.1. What information do we collect?

2.1.1 We collect information on you:

  • When you make an enquiry or application for a course, either through the website or via email or phone, and
  • When you formally confirm a course enrolment, and
  • When data is passed to us by an Agent for the processing of an enquiry, application or enrolment. If you are enquiring, applying or enrolling on one of our courses via an appointed Agent, their Privacy Policy will also determine how your personal data is collected and processed by them.
  • If a lesson(s) during your course is recorded for academic management purposes

If you make (or your appointed Agent makes) a basic enquiry for more information about our courses, we require you to provide the following information:

  • Your name
  • Your email address
  • Your telephone number

If you choose to make a full course application, we require some or all of the following additional information in order to match you with a suitable tutor and provide you with an accurate course quote:

  • Your home address, date of birth, sex and nationality
  • Information regarding your current target language ability
  • Your interests and hobbies
  • Any relevant special needs or requirements

When we have referred a suitable tutor to you, and you have accepted and confirmed your course, we may require further information to finalise your programme of study:

  • Your travel details
  • Your next of kin contact email address and telephone number

2.1.2 Information which must be provided is highlighted on the relevant form(s).

2.1.3 By submitting your information to us for the purposes of making an enquiry or applying for a course, you grant us consent to use your personal data for the purposes of answering your enquiry or arranging your requested study programme. You may withdraw your consent at any time.

2.1.4 After you have made an enquiry or application, and with your explicit permission, we may send you marketing communcations. Newsletters may be personalised based on your enquiry / application requirements. You may withdraw your consent at any time.

2.1.5 If a lesson observation take places during your course, your image may be video recorded alongside your tutor's. Recordings are viewed only by our academic management team, and not used for any wider training or promotional purpose.

2.1.6 We require all students to verify their identity prior to their Course Start Date. This may be done by the student's appointed Agent, or directly by InTuition Languages. Any data used for identity verification purposes (copies of passports, driving licences or other forms of ID) is retained only until the verification process is complete.

2.2 Ongoing data retention

2.2.1 To satisfy UK government requirements, we retain details of all payments made by you with records of invoices and other relevant documents.

2.2.2 We retain records of all courses which we teach for British Council accreditation purposes. This data includes the names and ages of students and their precise course of study (course type and dates) followed. We retain this information as an obligation of our accreditation as a British Council school.

2.2.3 If you have given consent to be contacted for marketing purposes, we may retain all data collected in order to effectively tailor the messages we send to you. You may opt-out of receiving marketing messages at any time.

2.2.4 All of your data which we retain is stored on servers physically located in the UK or EEA.

2.3 Whom we share data with

2.3.1 After you enrol on a course with us, we will share relevant information with selected tutors who are registered with us. This is so that they can decide whether they wish to teach you the requested course. The information we share includes your name, age, gender, English level, requested course type, duration and dates, and any voluntary information you have provided during the enquiry / application process which may be relevant. We do not share next of kin information.

  • If you have applied for a course in the UK or an online EFL course, your data will be controlled by us and processed by a tutor or tutors under the requirements of UK GDPR. To ensure that we and our tutors are compliant under EU GDPR when controlling and processing your data, we have appointed a Data Representative within the EEA. Details can be found at the top of this policy.
  • If you have applied for a course outside the UK and EEA (for example, in the USA, Canada or Australia), your data will be controlled by us under the requirements of UK GDPR and processed by a tutor or tutors under the requirements of the data protection regulations in their country. To ensure that the standards of UK GDPR are maintained in these circumstances, we sign individual Standard Contractual Clauses with tutors and / or local organisers who live outside the UK and EEA.
  • If you have applied for a course in the EEA or an online MFL course, your data will be controlled by us under the requirements of UK GDPR and processed by a tutor or tutors under the requirements of EU GDPR.

2.3.2 Once you have confirmed your course, we provide the confirmed tutor(s) with your email address, phone number, home address, and any travel information you have provided. For J2J courses or any other programme where you share tuition and / or accommodation with a third party, your email address and phone number will also be shared with the relevant third party at this time. The third party will act as a processor of your data under UK GDPR.

2.3.3 Tutors are not permitted to use your contact information for any purposes other than those immediately related to your course of study with them.

2.3.4 We will not share your personal information with any other organisation for marketing purposes unless you have provided consent. You can withdraw your consent at any time.

2.3.5 We may use service providers to help us manage our commercial operations, some of whom may be based outside the UK and EEA. Any organisations which access your information in the course of providing services on our behalf will be governed by strict contractual restrictions to make sure that they protect your information and adhere to any data protection and privacy laws which apply.

2.3.6 Some of our webpages use plug-ins from other organisations (such as the ‘Facebook Recommend’ function). These other organisations may use information about your visit to our websites on their pages. If you browse these pages while still also logged in to your account with us, information they collect may be connected to your account on their site. For more information on how these organisations use information, please read their privacy policies.

2.4 Data shared with you

2.4.1 Once a tutor whom we have contacted on your behalf has indicated that they would be interested in hosting and / or teaching you, we will send you their profile. The profile includes personal information regarding the teacher’s name, general location, family, professional experience and qualifications.

2.4.2 When you confirm a course, we will send you additional information, including the tutor’s email address, phone number and home address.

2.4.3 You act as a Processor of this data under UK GDPR. You must not use any personal data shared with you for any purposes other than those directly necessary for the organisation and study of your InTuition Languages course.

2.5 Google Analytics

2.5.1 We use Google Analytics on our sites for anonymous reporting of site usage and for advertising on the site. If you would like to opt-out of Google Analytics monitoring your behaviour on our sites please use this link (https://tools.google.com/dlpage/gaoptout/)

  

3. Tutors and Suppliers

How we use your information

3.1 What information do we collect?

3.1.1 We collect information on you:

  • when you make an enquiry or application about registering as a tutor, either through the website or via email, phone or social media, and
  • when you formally register as a tutor following an enquiry or application
  • When making a video or audio recording for the purpose of observing your teaching practise. Recordings are viewed only by our academic management team, and not used for any wider training or promotional purpose.

If you make a basic enquiry for more information about registering as a tutor, we require you to provide the following information:

  • Your name
  • Your email address
  • Your telephone number

If you then choose to proceed with your registration, we require the following additional information in order to create your profile (which is shared with potential students) and ensure compliance with British Council and other regulatory body requirements:

  • Your date of birth, sex and home address
  • Your current or most recent occupation
  • Details of your academic and ELT qualifications and experience, including proofs or certificates where applicable
  • Details of your home (including its size, location and facilities)
  • Details of your personal interests
  • Details of family members or other individuals living with you, including their names, dates of birth, interests and occupations
  • Photographs of your home and family (family photographs are optional)
  • Proof of identity and of your right to work in your country of residence
  • Details of two professional referees who consent to be contacted by us our your behalf
  • Your bank details, in order to facilitate payment for courses undertaken

3.1.2 We ask students to provide feedback on their tutor(s). This feedback includes opinions about you, which is retained for marketing and quality management purposes.

3.1.3 If you wish to register to host under 18s, we will also require that you provide further information as outlined in our separate Safeguarding Policy and Procedure. This includes DBS / police check certificates.

3.1.4 This information is used to build your profile which is sent to prospective students on an as-required basis and which may be used in general marketing campaigns.

3.1.5 By submitting your information to us for the purposes of making an enquiry or registering as a tutor, you grant us consent to use your personal data for the purposes of answering your enquiry or processing your registration. You may withdraw your consent at any time.

3.1.6 After you have made an enquiry for more information about registering as a tutor, and with your specific consent, we may send you marketing communications. Newsletters may be personalised based on your location and professional specialisation(s). At any time you can withdraw your consent to receive these communications.

3.1.7 By completing a full registration as a host tutor you provide us with consent to contact you both with details of potential courses and with information bulletins regarding training and social opportunities, and general school updates.

3.1.8 As outlined in our Observations Policy, all tutors are required to undergo periodic observation and assessment by a member of our Academic Management Team. Observations are conducted asynchronously: tutors use Zoom or alternative video recording software to record themselves and their students during the lesson in question. The recording is then sent to us for evaluation and feedback. Once we have received a recording from you, we act as Controller of that data. We use observation recordings only for academic management purposes and not for any broader commercial application. Recordings are stored on our data servers in the UK.

3.2 Ongoing data retention

3.2.1 To satisfy UK government requirements, we retain details of all payments made to you along with records of invoices and other relevant documents.

3.2.2 Should we not receive any communication from you over a five year period, we will contact you to check whether you still wish to remain registered as a tutor. If you do not respond to this enquiry, we will permanently delete all of your personal data with the exception of that data necessary to maintain internal records of courses delivered: your name and email address. We are obliged to retain this data for British Council accreditation purposes.

3.3.3 If you no longer wish to remain registered with us, you may cancel your registration at any time. We will permanently delete all of your personal data with the exception of that data necessary to maintain internal records of courses delivered: your name and email address. We are obliged to retain this data for British Council accreditation purposes.

3.3 Whom we share data with

3.3.1 The information which you provide to us during the registration process is shared with prospective students during the course placement process. It is also shared with our agent partners via our Agent Portal.

3.3.2 In each instance where we feel you would be a suitable tutor for a specific course, we will seek your permission to be recommended (i.e. for your profile to be sent to the student or their agent) before doing so.

3.3.3 The information provided on your profile does not include your address, phone number, email address or surname. It focuses on your personal and professional background relevant to the course requested. It also includes feedback from any previous students who have consented for their feedback to be shared. You may access and review the data presented on your profile at any time.

  • If a prospective student lives in the UK, your data will be shared with the student and / or their appointed agent under the requirements of UK GDPR. To ensure that we and our tutors are compliant under EU GDPR when controlling and processing your data, we have appointed a Data Representative within the EEA. Details can be found at the top of this policy.
  • If a prospective student lives in the EEA, your data will be shared with the student and / or their appointed agent under the requirements of EU GDPR equivalency with UK GDPR.
  • If a prospective student lives outside the UK and EEA, your data will be shared with the student / and or their appointed agent under the terms of a specific Standard Contractual Clause (SCC) agreement, unless the UK recognises the data protection laws in the student’s host country as being equivalent to UK GDPR.

3.3.4 Once a student confirms a course, we share further information with them and / or their appointed Agent. This includes your full name and address, contact phone number, and email address.

3.3.5 Students and their Agents are not permitted to use your contact information for any purposes other than those immediately related to their course of study with you.

3.3.6 If you are teaching a 'split course' (i.e. one with more than one tutor), your email address and phone number will be shared with the other tutor(s) concerned, in order to allow communication between tutors for academic discussion, the making of transfer arrangements, setting arrival and departure times, and anything else relevant to the management of the student's programme of study.

3.3.7 We will not share your personal information with any third parties for marketing purposes unless you have given us your consent. You may withdraw your consent at any time.

3.3.8 Some of our webpages use plug-ins from other organisations (such as the ‘Facebook Recommend’ function). These other organisations may use information about your visit to our websites on their pages. If you browse these pages while still also logged in to your account with us, information they collect may be connected to your account on their site. For more information on how these organisations use information, please read their privacy policies.

3.4 Data shared with you

3.4.1 When contacting you with regards to a potential booking, we will share certain student information with you: the student’s name, age, course requirements and preferences.

3.4.2 Once a student confirms a course of study with you, we will send you further information: their email address, phone number and home address.

3.4.3 When teaching a 'split course', we will also send you the email addresss and phone number for other tutors involved in the delivery of the programme in question.

3.4.5 Under UK GDPR and EU GDPR, you are a Processor and responsible for the security of this data. You must not use the information provided for any purpose other than those directly necessary for the student’s course of study with you. You must not share any student data with any other third parties. If you live outside the UK and EEA, we will ask you to sign a Standard Contractual Clause agreement prior to student data being transferred to you.

3.5 Google Analytics

3.5.1 We use Google Analytics on our sites for anonymous reporting of site usage and for advertising on the site. If you would like to opt-out of Google Analytics monitoring your behaviour on our sites please use this link (https://tools.google.com/dlpage/gaoptout/)

3.6 Legal information and how to contact us

3.6.1 If you would like access to or a copy of the personal information we hold about you, to request a correction, or have any questions about how we may use it or to make a complaint, please contact the Data Protection Manager at InTuition Languages Ltd, Business Central, 2 Union Square, Central Park, Darlington, DL1 1GL, UK. Complaints will be dealt with by the Data Protection Manager, and will be responded to within 30 days at the latest. If you are not satisfied with the way your complaint was handled, you may be able to refer your complaint to the UK Information Commissioner’s Office (ICO).

4. Agents and Educational Tour Operators (ETOs)

4.1 Registering as an Agent or ETO

4.1.1 If you choose to register with us as an Agent or ETO, we will require you to provide certain information regarding your organisation:

  • Your company name and contact details (phone, email and address)
  • The name(s) of relevant staff members (manager and student counsellors) and their contact information

4.1.2 We act as controller of this data under UK GDPR. It is retained securely on our computer systems in the UK.

4.2 Ongoing data retention

4.2.1 To satisfy UK government requirements, we retain details of all payments made to you or received from you, along with records of invoices and other relevant documents.

4.2.2 Within the exception of financial information, if you decide that you no longer wish to represent our school as an Agent or ETO, we will delete or anonymise all retained data on request. You may make this decision at any time.

4.3 Data you share with us

4.3.1 When you enrol a student with us, we become the Controller of that student data.

4.3.2 If you are located inside the EEA, you will require a Standard Contractual Clause (SCC) agreement to be in place with us before any transfer of student data takes place. If you are located outside the EEA, your local regulations may also require an SCC agreement to be in place.

4.3.3 During the process of an enquiry, application or enrolment, you must share with us certain student data in order to allow us to recommend a suitable host tutor.

4.3.4 The data required is outlined on our enquiry and application form(s). In all cases, we require the following:

  • Student’s name and date of birth
  • Student’s course requirement (location, duration, intensity, type)
  • Student’s current target language level
  • Student’s special educational or hosting needs, if applicable

4.3.5 Once a student has confirmed their enrolment, we also require the following information:

  • Student’s mobile phone number
  • Student’s email address
  • Student’s next of kin details and contact information

4.3.6 Throughout the enquiry, application and enrolment process, and during a student’s course of study, we act as a Controller of the student’s data. We do not use student information for any purposes not directly necessary for organising of their course of study. We share student information with tutors in accordance with the policies outlined under Tutors in this Policy.

4.4 Data we share with you

4.4.1 We Control tutor data under the requirements of UK GDPR. You Process tutor data under the data protection requirements in your country.

4.4.2 Once we receive a complete enrolment from you, we select a tutor whom we consider a suitable match, considering the student’s specific requirements.

4.4.3 We send you the tutor’s profile, which contains includes information regarding the host tutor’s name, general location, family, professional experience and qualifications. You share this information with students according to the principles outlined under Students in this policy, and your own privacy policy. Tutors' profiles are also available via the Agent Portal; the same Privacy requirements apply in all contexts in which tutor information is transferred to you.

  • If you are located in the UK, tutor data will be transferred to you under the requirements of UK GDPR.
  • If you are located in the EEA, tutor data will be transferred to you under the requirements of EU GDPR through UK GDPR equivalency.
  • If you are located outside the UK and EEA, tutor data will be transferred to you under the terms of a Standard Contractual Clause (SCC) agreement. This agreement must be signed before transfer of data can take place.

4.4.4 When you confirm a course, we also send you the tutor’s email address, phone number and home address. Again, you share this information with students according to the principles outlined under Students in this policy, and your own privacy policy.

4.4.5 You are responsible for the security of this data under UK GDPR, EU GDPR or the terms of an SCC agreement. You must not use the information provided for any purpose other than those directly necessary for organising a student’s course of study. You must not share any tutor data with any third parties, except the student themselves.

5. InTuition Languages Staff

5.1 General

5.1.1. InTuition Languages Ltd is committed to ensuring that all personal data handled by us will be processed according to legally compliant standards of data protection and data security.

5.1.2 We confirm for the purposes of the data protection laws, that we are a data controller of the personal data in connection with your employment. This means that we determine the purposes for which, and the manner in which, your personal data is processed.

5.1.3 The purpose of this Policyis to help us achieve our data protection and data security aims by:

  • notifying our staff of the types of personal information that we may hold about them, our customers, suppliers and other third parties and what we do with that information;
  • setting out the rules on data protection and the legal conditions that must be satisfied when we collect, receive, handle, process, transfer and store personal data and ensuring staff understand our rules and the legal standards; and
  • clarifying the responsibilities and duties of staff in respect of data protection and data security.

5.1.4 This is a statement of policy only and does not form part of your contract of employment. We may amend this Policy at any time, in our absolute discretion.

5.1.5 For the purposes of this Policy:

    • Data protection laws means all applicable laws relating to the processing of personal data, including, for the period during which it is in force, the UK General Data Protection Regulation.
    • Data subject means the individual to whom the personal data relates.
    • Personal data means any information that relates to an individual who can be identified from that information.
    • Processing means any use that is made of data, including collecting, storing, amending, disclosing, or destroying it.
    • Special categories of personal data means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.

5.2 Data Protection Principles

5.2.1 Staff whose work involves using personal data relating to staff, customers or suppliers must comply with this Policy and with the following data protection principles which require that personal information is:

    • Processed lawfully, fairly and in a transparent manner. We must always have a lawful basis to process personal data, as set out in the data protection laws. Personal data may be processed as necessary to perform a contract with the data subject, to comply with a legal obligation which the data controller is the subject of, or for the legitimate interest of the data controller or the party to whom the data is disclosed. The data subject must be told who controls the information (us), the purpose(s) for which we are processing the information and to whom it may be disclosed.
    • Collected only for specified, explicit and legitimate purposes.Personal data must not be collected for one purpose and then used for another. If we want to change the way we use personal data, we must first tell the data subject.
    • Processed only where it is adequate, relevant and limited to what is necessary for the purposes of processing. We will only collect personal data to the extent required for the specific purpose notified to the data subject.
    • Accurate and the Employer takes all reasonable steps to ensure that information that is inaccurate is rectified or deleted without delay. Checks to personal data will be made when collected and regular checks must be made afterwards. We will make reasonable efforts to rectify or erase inaccurate information.
    • Kept only for the period necessary for processing.Information will not be kept longer than it is needed and we will take all reasonable steps to delete information when we no longer need it. For guidance on how long particular information should be kept, contact the Data Protection Manager.
    • Secure, and appropriate measures are adopted by the Employer to ensure as such.

5.3 Who is Responsible for Data Protection and Data Security?

5.3.1 Maintaining appropriate standards of data protection and data security is a collective task shared between us and you. This Policy and the rules contained in it apply to all staff of the Employer, irrespective of seniority, tenure and working hours, including all employees, directors and officers, consultants and contractors, casual or agency staff, trainees, homeworkers and fixed-term staff and any volunteers.

5.3.2 Questions about this Policy, or requests for further information, should be directed to theData Protection Manager.

5.3.3 All Staff have personal responsibility to ensure compliance with this Policy, to handle all personal data consistently with the principles set out here and to ensure that measures are taken to protect the data security. Managers have special responsibility for leading by example and monitoring and enforcing compliance. TheData Protection Manager must be notified if this Policy has not been followed, or if it is suspected this Policy has not been followed, as soon as reasonably practicable.

5.3.4 Any breach of this Policywill be taken seriously and may result in disciplinary action up to and including dismissal. Significant or deliberate breaches, such as accessing Staff or customer personal data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

5.4 What Personal Data and Activities are Covered by This Policy?

5.4.1 This Policycovers personal data:

    • Which relates to a natural living individual who can be identified either from that information in isolation or by reading it together with other information we possess;
    • Is stored electronically;
    • in the form of statements of opinion as well as facts;
    • which relates to Staff (present, past or future) or to any other individual whose personal data we handle or control;
    • which we obtain, is provided to us, which we hold or store, organise, disclose or transfer, amend, retrieve, use, handle, process, transport or destroy.

5.4.2 This personal data is subject to the legal safeguards set out in UK GDPR.

5.5 What Personal Data Do We Process About Staff?

5.5.1 We collect personal data about you which:

    • You provide or we gather before or during your employment or engagement with us;
    • Is provided by third parties, such as references or information from suppliers or another party that we do business with; or
    • Is in the public domain.

5.5.2 The types of personal data that we may collect, store and use about you include records relating to your:

    • Home address, contact details and contact details for your next of kin;
    • Recruitment (including your application form or curriculum vitae, references received and details of your qualifications);
    • Pay records, national insurance number and details of taxes and any employment benefits such as pension and health insurance (including details of any claims made);
    • Telephone, email, internet, fax or instant messenger use;
    • Performance and any disciplinary matters, grievances, complaints or concerns in which you are involved.

5.6 Sensitive Personal Data

5.6.1 We may from time to time need to process sensitive personal information (sometimes referred to as 'special categories of personal data').

5.6.2 We will only process sensitive personal information if:

    • We have a lawful basis for doing so, e.g. it is necessary for the performance of the employment contract; and
    • One of the following special conditions for processing personal information applies:
      • The data subject has given explicit consent.
      • The processing is necessary for the purposes of exercising the employment law rights or obligations of the Company or the data subject.
      • Processing relates to personal data which are manifestly made public by the data subject.
      • The processing is necessary for the establishment, exercise, or defence or legal claims; or
      • The processing is necessary for reasons of substantial public interest.

5.6.3 Before processing any sensitive personal information, Staff must notify the Data Protection Manager of the proposed processing, in order for the Data Protection Manager to assess whether the processing complies with the criteria noted above.

      5.6.3 Sensitive personal information will not be processed until the assessment above has taken place and the individual has been properly informed of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.

      5.6.4 This Privacy Policy sets out the type of sensitive personal information that we process, what it is used for and the lawful basis for the processing.

      5.7 How We Use Your Personal Data

      5.7.1 We will tell you the reasons for processing your personal data, how we use such information and the legal basis for processing in our Privacy Notice. We will not process Staff personal information for any other reason.

      5.7.2 In general, we will use information to carry out our business, to administer your employment or engagement and to deal with any problems or concerns you may have, including, but not limited to:

        • Staff address lists: to compile and circulate lists of home addresses and contact details, to contact you outside working hours.
        • Sickness records: to maintain a record of your sickness absence and copies of any doctor's notes or other documents supplied to us in connection with your health, to inform your colleagues and others that you are absent through sickness, as reasonably necessary to manage your absence, to deal with unacceptably high or suspicious sickness absence, to inform reviewers for appraisal purposes of your sickness absence level, to publish internally aggregated, anonymous details of sickness absence levels.
        • Monitoring IT systems: to monitor your use of e-mails, internet, telephone and fax, computer or other communications or IT resources.
        • Disciplinary, grievance or legal matters: in connection with any disciplinary, grievance, legal, regulatory or compliance matters or proceedings that may involve you.
        • Performance reviews: to carry out performance reviews.

      5.8 Accuracy and Relevance

      5.8.1 We will:

        • ensure that any personal data processed is up to date, accurate, adequate, relevant and not excessive, given the purpose for which it was collected.
        • not process personal data obtained for one purpose for any other purpose, unless you agree to this or reasonably expect this.

      5.8.2 If you consider that any information held about you is inaccurate or out of date, then you should tell theData Protection Manager. If they agree that the information is inaccurate or out of date, then they will correct it promptly. If they do not agree with the correction, then they will note your comments.

      5.9 Storage

      5.9.1 Personal data (and sensitive personal information) will be kept securely in a digital format. We do not retain physical copies of any personal data.

      5.10 Data Security

      5.10.1 We use appropriate technical and organisational measures to keep personal data secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage. All staff have a duty to ensure the security of personal data which they have access to.

      5.10.2 Maintaining data security means making sure that:

        • Only people who are authorised to use the information can access it;
        • Where possible, personal data is pseudonymised or encrypted;
        • Information is accurate and suitable for the purpose for which it is processed; and
        • Authorised persons can access information if they need it for authorised purposes.

      5.10.3 By law, we must use procedures and technology to secure personal information throughout the period that we hold or control it, from obtaining to destroying the information.

      5.10.4 Personal information must not be transferred to any person to process (eg while performing services for us on or our behalf), unless that person has either agreed to comply with our data security procedures or we are satisfied that other adequate measures exist.

      5.10.5 Security procedures include:

        • Computers should be locked with a strong password that is changed regularly or shut down when they are left unattended and discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
        • Data stored on CDs or memory sticks must be encrypted or password-protected and locked away securely when they are not being used.
        • TheData Protection Manager must approve of any cloud used to store data.
        • Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.
        • All servers containing sensitive personal data must be approved and protected by security software.
        • Servers containing personal data must be kept in a secure location, away from general office space.
        • Data should be regularly backed up in line with the Employer's back-up procedure.

      5.10.6 Telephone precautions. Particular care must be taken by Staff who deal with telephone enquiries to avoid inappropriate disclosures. In particular:

        • The identity of any telephone caller must be verified before any personal information is disclosed;
        • If the caller's identity cannot be verified satisfactorily then they should be asked to put their query in writing;
        • Do not allow callers to bully you into disclosing information. In case of any problems or uncertainty, contact the Data Protection Manager.

      5.10.7 Methods of disposal. Copies of personal information must be physically destroyed when they are no longer needed.

      5.11 Data Breaches

      5.11.1 If we discover that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals, we will report it to the Information Commissioner within 72 hours of discovery.

      5.11.2 If the breach is likely to result in a high risk to your rights and freedoms, we will tell affected individuals that there has been a breach and provide them with more information about its likely consequences and the mitigation measures it has taken.

      5.12 Individual Responsibilities

      5.12.1 Staff are responsible for helping the Employer keep their personal data up to date.

      5.12.2 Staff should let the Employer know if personal data provided to the Employer changes, e.g. if you move house or change your bank details.

      5.12.3 You may have access to the personal data of other staff members and of our customers and suppliers in the course of your employment. Where this is the case, the Employer relies on staff members to help meet its data protection obligations.

      5.12.4 Individuals who have access to personal data are required:

        • To access only personal data that they have authority to access and only for authorised purposes;
        • Not to disclose personal data except to individuals (whether inside or outside of the Employer) who have appropriate authorisation;
        • To keep personal data secure (e.g. by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
        • Not to remove personal data, or devices containing or that can be used to access personal data, from the Employer's premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
        • Not to store personal data on local drives or on personal devices that are used for work purposes.
        • To report any breach of personal data to the Data Protection Manager as soon as any breach occurs, or as soon as the individual becomes aware of the breach having occurred.

      5.13 Training

      5.13.1 We will provide training to all individuals about their data protection responsibilities as part of the induction process and at regular intervals thereafter.

      5.13.2 Individuals whose roles require regular access to personal data, or who are responsible for implementing this Policy or responding to subject access requests under this Policy will receive additional training to help them understand their duties and how to comply with them.