Data Protection Policy

Introduction

The American School in London (data controller) maintains certain information (including personal and sensitive personal data) about its employees, students, parents, alumni, and other community members, to allow it to communicate effectively with its community, to monitor employee and student achievements, and to ensure safety at the School. It is also necessary to process information so that employees can be recruited and paid; courses can be organized; a high standard of teaching and learning can be delivered; and legal obligations to funding bodies and government departments can be observed.


To comply with Data Protection Act 1998 (DPA), information must be collected and used fairly, lawfully, and stored safely, and must not be disclosed to any other person unlawfully. To do this, the American School in London complies with the data protection principles, as defined in the DPA.


Purpose and scope of this Data Protection Policy

This policy is intended to ensure that personal information is dealt with correctly and securely and in accordance with the DPA, and other related legislation. It applies to information regardless of the way it is collected, used, recorded, stored and destroyed, and irrespective of whether it is held in paper files or electronically.

This policy applies to all employees, trustees, volunteers, and others working on behalf of the School. All employees involved with the collection, processing and disclosure of personal data will be aware of their duties and responsibilities and adhere to these guidelines.


Personal information

The American School in London and individuals have access to a wide range of personal and sensitive data. The data may be held in a digital format or on paper records as part of a filing system. Personal data may be defined as any combination of data items that identifies a living individual and provides specific information about him/her, his/her family life, or personal circumstances. This includes:


● Personal information about members of the school community, including students, employees, parents or guardians, e.g., names, addresses, contact details, legal guardianship contact details, health records, disciplinary records, etc.


● Curricular or academic data, e.g., class lists, student progress records, reports, references


● Professional records, e.g., employment history, taxation and national insurance records, appraisal records and references


● Any data held visually in photographs or video clips (including CCTV) or as sound recordings


● Any expression of opinion about an individual kept on a school file or system, or any indication of the school’s or someone else’s intentions towards an individual


● Any other information that might be disclosed by parents or guardians, or by other agencies working with families or employees.


Data protection principles

The DPA establishes eight enforceable principles that must be adhered to at all times:


1. Personal data shall be processed fairly and lawfully;


2. Personal data shall be obtained only for one or more specified and lawful purposes;


3. Personal data shall be adequate, relevant and not excessive;


4. Personal data shall be accurate and, where necessary, kept up to date;


5. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose or those purposes;


6. Personal data shall be processed in accordance with the rights of data subjects under the DPA;


7. Personal data shall be kept secure, i.e., protected by an appropriate degree of security;


8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.


The American School in London and all employees who process or use personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the School has developed this Data Protection Policy. Any breach of this policy by employees may result in a disciplinary action.


This policy sets out the basis on which the American School in London will process personal and sensitive data collected from data subjects, or that is provided to us by the data subjects or other sources. This policy does not form part of any employee’s contract, although it forms part of the policies accepted as a condition of employment, and may be amended at any time.


Policy statements and responsibilities

Our school is committed to maintaining the data protection principles at all times. Therefore, we will:


● Register, as a data controller, with the Information Commissioner’s Office (ICO) detailing the information held and its use


● Inform individuals why the information is being collected when it is collected


● Inform individuals when their information is shared, and why and with whom it was shared


● Periodically check the quality and the accuracy of the information held


● Ensure that information is not retained for longer than is necessary


● Ensure that obsolete information is destroyed and that it is done so appropriately and securely


● Ensure that clear and robust safeguards are in place to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded


● Share information with others only when it is legally appropriate to do so


● Set out procedures to ensure compliance with the duty to respond to requests for access to personal information, known as Subject Access Requests


● Issue Privacy Notices that summarise the information held by us


● Ensure our employees are aware of and understand our policies and procedures.


The American School in London takes all appropriate measures, technical and organizational, to ensure the security of individuals' data from loss, harm or unauthorised access. All staff are trained in these steps and procedures and access to the most sensitive data is additionally protected on a need-to-know basis, for example by locked storage or password-protected access.


Privacy notices

In order to comply with the fair processing requirements of the DPA, the American School in London will inform employees and parents or guardians of all students and prospective students—and where appropriate the students themselves—of the data it collects, processes and holds; the purposes for which the data is held; and the third parties (e.g., local council, Department for Education, student information systems, etc.) to whom it may be passed. This privacy notice will be passed to parents or guardians through the Admissions Portal and the school’s website. Parents or guardians of students who are new to the School will be provided with the privacy notice through the Admissions Portal.


Review

This policy will be reviewed as it is deemed appropriate, but no less frequently than every two years. The policy review will be undertaken by the Head of School, or nominated representative.


Contacts If you have any enquires in relation to this policy, please contact dpo@asl.org

Last updated: December 2016