ETC Data Protection and Privacy Policy

ETC International College (The College) is committed to a policy of protecting the rights and privacy of individuals, including learners, staff and others, in accordance with the General Data Protection Regulation (GDPR), May 2018.

Introduction

Educational Training Centre (UK) Ltd, trading as ETC International College, takes your privacy seriously. This Policy explains the steps we take to ensure information about you is kept secure and confidential.

ETC International College needs to process certain information about its staff, students, parents and guardians, homestay hosts, commercial representatives and other individuals with whom it has a relationship for various purposes such as, but not limited to:

  1. The recruitment and payment of staff.
  2. The administration of programmes of study and courses.
  3. Student enrolment.
  4. Examinations and external accreditation.
  5. Recording student progress, attendance and conduct.
  6. Collecting fees.
  7. Complying with legal obligations to funding bodies and government including local government.

To comply with various legal obligations, including the obligations imposed on it by the General Data Protection Regulation (GDPR) ETC International College must ensure that all this information / personal data about individuals is collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully.

Personal data is information relating to an individual and may be in hard or soft copy (paper/manual files; electronic records; photographs; CCTV images), and may include facts or opinions about a person.

The GDPR also sets out specific rights for College students in relation to educational records held within the state education system. These rights are set out in separate education regulations ‘The Education (Pupil Information) (England) Regulations 2000’. For more detailed information on these Regulations see the Data Protection Data Sharing Code of Practice (DPCoP) from the Information Commissioner’s Office (ICO). Please follow this link to the ICO’s website (www.ico.gov.uk)

Data Controller

ETC International College (company number 2534867) is the Data Controller in relation to the Services and your personal data.

Registered and physical addresses

ETC International College’s registered address is 21 Church Road, Parkstone, Poole.  BH14 8UF.

The address of ETC International College’s training centre is 22-26 West Hill Road, Bournemouth.  BH2 5PG.  This is the site where the College’s data processing activities are focused.

If you have any queries relating to our use of your personal data or any other data protection issues, please contact us with details of your query.

General Statement of the College’s Duties and Scope

The College is required to process relevant personal data regarding members of staff, volunteers, applicants, parents, students and their siblings, alumni and customers as part of its operation and shall take all reasonable steps to do so in accordance with this Policy.

Data Protection Officer

The College has appointed the Director as the Data Protection Officer (DPO) who will endeavour to ensure that all personal data is processed in compliance with this Policy and the Principles of the GDPR May 2018.

The Senior Leadership Team is responsible for all day-to-day data protection matters and will be responsible for ensuring that all members of staff and relevant individuals abide by this policy, and for developing and encouraging good information handling within the college.

The Senior Leadership Team is also responsible for ensuring that the college’s notification is kept accurate. Details of the College’s notification can be found on the Office of the Information Commissioner’s website. Our data registration number is: Z4924341.

The Freedom of Information Act 2000 and the Protection of Freedoms Act 2012 are also relevant to parts of this policy.

The Principles

In summary, the College shall so far as is reasonably practicable comply with the 8 Data Protection Principles (the Principles) contained in the GDPR to ensure that all data is:-

  • Fairly and lawfully processed
  • Processed for a specific and lawful purpose
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than necessary
  • Processed in accordance with the data subject’s rights
  • Secure
  • Not transferred to other countries without adequate protection.

Detailed consideration of the Principles

In order to comply with its obligations, ETC International College undertakes to adhere to the eight principles:

1) Process personal data fairly and lawfully.

ETC International College will make all reasonable efforts to ensure that individuals who are the focus of the personal data (data subjects) are informed of the identity of the data controller, the purposes of the processing, any disclosures to third parties that are envisaged; given an indication of the period for which the data will be kept, and any other information which may be relevant.

2) Process the data for the specific and lawful purpose for which it collected that data and not further process the data in a manner incompatible with this purpose.
ETC International College will ensure that the reason for which it collected the data originally is the only reason for which it processes those data, unless the individual is informed of any additional processing before it takes place.

3) Ensure that the data is adequate, relevant and not excessive in relation to the purpose for which it is processed.
ETC International College will not seek to collect any personal data which is not strictly necessary for the purpose for which it was obtained. Forms for collecting data will always be drafted with this mind. If any irrelevant data are given by individuals, they will be destroyed immediately.

4) Keep personal data accurate and, where necessary, up to date.
ETC International College will review and update all data on a regular basis. It is the responsibility of the individuals giving their personal data to ensure that this is accurate, and each individual should notify the College if, for example, a change in circumstances mean that the data needs to be updated. It is the responsibility of the College to ensure that any notification regarding the change is noted and acted on.

5) Only keep personal data for as long as is necessary.
ETC International College undertakes not to retain personal data for longer than is necessary to ensure compliance with the legislation, and any other statutory requirements. This means ETC International College will undertake a regular review of the information held and implement a weeding process.  ETC International College will dispose of any personal data in a way that protects the rights and privacy of the individual concerned (e.g. secure electronic deletion, shredding and disposal of hard copy files as confidential waste). A log will be kept of the records destroyed.

6) Process personal data in accordance with the rights of the data subject under the legislation.
Individuals have various rights under the legislation including a right to:
● be told the nature of the information the College holds and any parties to whom this may be disclosed.
● prevent processing likely to cause damage or distress.
● prevent processing for purposes of direct marketing.
● be informed about the mechanics of any automated decision taking process that will significantly affect them.
● not have significant decisions that will affect them taken solely by automated process.
● sue for compensation if they suffer damage by any contravention of the legislation.
● take action to rectify, block, erase or destroy inaccurate data.
● request that the Office of the Information Commissioner assess whether any provision of the Act has been contravened.
ETC International College will only process personal data in accordance with individuals’ rights.

7) Put appropriate technical and organisational measures in place against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of data.
All members of staff are responsible for ensuring that any personal data which they hold is kept securely and not disclosed to any unauthorised third parties. ETC International College will ensure that all personal data is accessible only to those who have a valid reason for using it.  ETC International College will have in place appropriate security measures e.g. ensuring that hard copy personal data is kept in lockable filing cabinets/cupboards with controlled access (with the keys then held securely in a key cabinet with controlled access):
● keeping all personal data in a lockable cabinet with key-controlled access.
● password protecting personal data held electronically.
● archiving personal data which are then kept securely (lockable cabinet).
● placing any PCs or terminals, CCTV camera screens etc. that show personal data so that they are not visible except to authorised staff.
● ensuring that PC screens are not left unattended without a password-protected screen-saver being used.
In addition, ETC International College will put in place appropriate measures for the deletion of personal data – manual records will be shredded or disposed of as ‘confidential waste’ and appropriate contract terms will be put in place with any third parties undertaking this work. Hard drives of redundant PCs will be wiped clean before disposal or if that is not possible, destroyed physically. A log will be kept of the records destroyed.  This policy also applies to staff and students who process personal data ‘off-site’, e.g. when working at home, and in circumstances additional care must be taken regarding the security of the data.

8) Ensure that no personal data is transferred to a country or a territory outside the European Economic Area (EEA) unless that country or territory ensures adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.  ETC International College will not transfer data to such territories without the explicit consent of the individual.  This also applies to publishing information on the Internet – because transfer of data can include placing data on a website that can be accessed from outside the EEA – so ETC International College will always seek the consent of individuals before placing any personal data (including photographs) on its website.  If the College collects personal data in any form via its website, it will provide a clear and detailed privacy statement prominently on the website, and wherever else personal data is collected.

Definitions

  • The College is Educational Training Centre (UK) Ltd, trading as ETC International College.
  • “Parental consent” includes the consent of a guardian.
  • “Data Subject” is an individual who is the subject of the personal data.

Personal Data

Personal data covers both facts and opinions about an individual where that data identifies an individual. For example, it includes information necessary for employment such as the member of staff’s name and address and details for payment of salary or a student’s attendance record and exam results. Personal data may also include sensitive personal data as defined in the Act.

Processing of Personal Data

Consent may be required for the processing of personal data unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent.

Students’ consent to process their data and disclose it to parents is implicit when they reach the age of 18. If a student wishes to revoke or change consent they must agree a specific agreement on how their data is to be processed with the data processor.

The College will obtain parental or guardian consent for any data processing activity pertaining to students under the age of 18. We must pass information, such as your son/daughter’s personal data and details of any special requirements, on to those involved in providing your son/daughter with any services relating to their stay at The College. These services include, but are not restricted to, reservation of accommodation, transfer services, and classing information. This information may also be provided, if required, to security and credit checking organisations, customs, and the Home Office as required by English Law.

Please note that where your child’s information is held by an Agent working in conjunction with The College, it will be subject to your Agent’s own data protection policy and your country’s national law.

The College processes some personal data for direct marketing purposes: data subjects have the right to request an opt-out to these activities, which must be respected.

Consent as a basis for processing

Although it is not always necessary to gain consent from individuals before processing their data, it is often the best way to ensure that data is collected and processed in an open and transparent manner.
Consent is especially important when ETC International College is processing any sensitive data, as defined by the legislation.

ETC International College understands consent to mean that the individual has been fully informed of the intended processing and has signified their agreement (e.g. via the enrolment form) whilst being of a sound mind and without having any undue influence exerted upon them.  Consent obtained on the basis of misleading information will not be a valid basis for processing.  Consent cannot be inferred from the non-response to a communication.

“Personal Details”

● For the purposes of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 you consent to ETC International College holding and processing personal data including sensitive personal data of which you are the subject, details of which are specified in the College’s Data Protection and Privacy Policy.
● This will include marketing images and the College CCTV.”

ETC International College will ensure that any forms used to gather data on an individual will contain a statement (fair collection statement) explaining the use of that data, how the data may be disclosed and also indicate whether or not the individual needs to consent to the processing.

Cookies Policy

General Definitions

“We” – ETC International College Ltd.

“Cookie(s)” – Data files that websites place on computers or other mobile devices of people who visit those websites.

“This Website” = http://www.etc-inter.net.

General & Legislative Compliance

Cookies are data files that websites place on computers or other mobile devices of people who visit those websites.

Websites, whether representing an individual or company, based in or targeting consumers in any EU/EEA country must inform users about the use of Cookies on their website through the use of a Cookie policy. End-users visiting these websites must be given the opportunity to consent to the use of Cookies. A website’s Cookie policy must be distinct from its privacy policy.

Active Cookies

This Website, like many others uses Cookies to help customise and improve your end-user experience. However, This Website does not currently directly use any cookies.

Unless otherwise stated in this policy, We are not responsible for the Cookies of other websites or sub-domains of This Website, whether linked to from or embedded in This Website.

Unless otherwise stated, sub-domains of This Website will have their own Cookie policy with its own compliance requirements.

Cookie Settings

Cookies are not currently in use on This Website, so there are currently no settings applicable to Cookies.

You can clear your Cookies following the instructions below relevant to your browser:

Google Chrome
Mozilla Firefox
Microsoft Internet Explorer
Apple Safari

Other browsers or devices will follow similar procedures.

Sensitive Personal Data

The College may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings.

Confidentiality Agreement

All staff are obliged to sign a confidentiality agreement in 2 copies.  One copy will be held in the staff member’s file and the other will be issued to the staff member for their own reference.  The Confidentiality Agreement should be read in conjunction with this Policy.

Subject Access Rights (SARs): Rights of Access to Information

Data subjects have the right of access to information held by the College, subject to the provisions of the GDPR 2018.  Any data subject wishing to access their personal data should put their request in writing to the Data Protection Controller.

The College will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 40 days for access to records and 21 days to provide a reply to an access to information request.

ETC International College reserves the right to charge a fee for data subject access requests (currently £20).

The information will be imparted to the data subject as soon as is reasonably possible after it has come to the College’s attention and in compliance with the relevant Acts.

Disclosure of Data

Only disclosures which have been notified under the College’s Data Protection notification must be made and therefore staff and students should exercise caution when asked to disclose personal data held on another individual or third party.

ETC International College undertakes not to disclose personal data to unauthorised third parties, including family members, friends, government bodies and in some circumstances, the police.

Legitimate disclosures may occur in the following instances:
● the individual has given their consent to the disclosure.
● the disclosure has been notified to the OIC and is in the legitimate interests of the College.
● the disclosure is required for the performance of a contract.
There are other instances when the legislation permits disclosure without the consent of the individual.

In no circumstances will ETC International College sell any of its databases to a third party.

Exemptions

Certain data is exempted from the provisions of the Data Protection Act which includes the following:
• National security and the prevention or detection of crime
• The assessment of any tax or duty
• Where the processing is necessary to exercise a right or obligation conferred or imposed by law upon the College, including Safeguarding and prevention of terrorism and radicalisation.

The above are examples only of some of the exemptions under the Act. Any further information on exemptions should be sought from the Data Protection Controller.

Publication of College Information

ETC International College publishes various items which will include some personal data, e.g.
● internal telephone directory.
● event information.
● photos and information in marketing materials.
It may be that in some circumstances an individual wishes their data processed for such reasons to be kept confidential, or restricted College access only. Therefore it is ETC International College policy to offer an opportunity to opt-out of the publication of such when collecting the information.

Email

It is the policy of ETC International College to ensure that senders and recipients of email are made aware that under the DPA, and Freedom of Information Legislation, the contents of email may have to be disclosed in response to a request for information. One means by which this will be communicated will be by a disclaimer on the College’s email.

Under the Regulation of Investigatory Powers Act 2000, Lawful Business Practice Regulations, any email sent to or from the College may be accessed by someone other than the recipient for system management and security purposes.

CCTV

There are some CCTV systems operating within ETC International College for the purpose of protecting College members and property.  Where a data subject can be identified, images must be processed as personal data.  ETC International College will only process personal data obtained by the CCTV system in a manner which ensures compliance with the legislation.

Accuracy

The College will endeavour to ensure that all personal data held in relation to all data subjects is accurate.

Data subjects must notify the data processor of any changes to information held about them.

Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they apply.

Compliance and Enforcement

This policy applies to all staff and students of ETC International College.  Any breach of this policy or of the GDPR itself will be considered an offence and the College’s disciplinary procedures will be invoked.
As a matter of best practice, other agencies and individuals working with ETC International College and who have access to personal information, will be expected to read and comply with this policy. It is expected that departments who are responsible for dealing with external bodies will take the responsibility for ensuring that such bodies sign a contract which among other things will include an agreement to abide by this policy.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments to the GDPR and other relevant legislation.

If an individual believes that the College has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, the member of staff should utilise the College staff grievance procedure or client complaints procedure (as appropriate) and should also notify the Data Protection Controller.

Data Security

The College will take appropriate technical and organisational steps to ensure the security of personal data.

All staff will be made aware of this policy and their duties under the Act.

The College and therefore all staff and students are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data.

An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems and be encrypted when transported offsite. Other personal data may be for publication or limited publication within the College, therefore having a lower requirement for data security.

Sensitive data of any type must be handled carefully and should not be communicated over the phone.  Email and other communications methods may be used, as long as these are secure and the recipient of the data is authorised to receive this information.  Every effort must be made to ensure that data is only sent to authorised, responsible recipients and whose identity has been checked.

As examples:

* student card files must be shredded securely no later than 7 years from the end of their most recent course at ETC.
* staff and host family files must be shredded securely no later than 7 years from the end of their most recent contract if they are no longer working at ETC International College.
* student / agent data must not be transmitted to any agent other than the agent who has been recognised as the agent for that student (and where this is recorded in the ETC database / Class system).
* student / agent data must not be disclosed to embassies by anyone other than the Director or the Principal – especially not over the phone.  There is a centralised system for responding to requests for information from embassies.  Different staff members / case officers are responsible for handling communications with different embassies.  For instance, the Director, Principal, Director of Studies / Senior Teachers (or certain authorised deputies) may disclose data to the Embassy of the Kingdom of Saudi Arabia.  However, only the Director or.the Principal may disclose data to these embassies: Oman, UAE, Kuwait, Qatar.
* student / agent data must not be disclosed to the Home Office, the ISI, the British Council, the Police or other statutory bodies by anyone other than the Director, the Principal, the Director of Studies or the Registrar / Admissions Manager – especially not over the phone.  There is a centralised system for responding to requests for information from these bodies.

As a general principle, the external body / person requesting the data should be asked to send an email from their official email address.

External Processors

The College must ensure that data processed by external processors, for example, service providers, Cloud services including storage, web sites etc. are compliant with this policy and the relevant legislation.

Secure Destruction

When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.

Retention of Data

The College may retain data for differing periods of time for different purposes as required by statute or best practices, individual departments incorporate these retention times into the processes and manuals.

Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data.

The College may store some data such as registers, photographs, exam results, achievements, books and works etc. indefinitely in its archive.

Procedure for review

This policy will be updated as necessary to reflect best practice or future amendments made to the General Data Protection Regulation (GDPR) May 2018 and Data Protection Act 1998.  Please follow this link to the ICO’s website (www.ico.gov.uk) which provides further detailed guidance on a range of topics including individuals’ rights, exemptions from the Act, dealing with subject access requests, how to handle requests from third parties for personal data to be disclosed etc. In particular, you may find it helpful to read the Guide to Data Protection which is available from the website.

For help or advice on any data protection or freedom of information issues, please

do not hesitate to contact:

The Data Protection Officer, Mr Kambiz Parandian (Director, ETC International College).

Date: 8th May, 2018.

Review: End of April, 2019.