The Literacy Tree is required to process personal data regarding staff and users of the Literary Curriculum, relevant to its operation and shall take all reasonable steps to do so in accordance with this Policy.
Processing may include obtaining, recording, holding, handling, disclosing, transportation, destroying or otherwise using data.
All staff are responsible for complying with this policy.
2.1 This Policy covers the company’s acquisition, handling and disposal of the personal and sensitive personal data it holds on all staff and users of Literary Curriculum. It also applies to contractors. It explains the company’s general approach to data protection which is to ensure that individual’s personal data and information is protected and appropriately processed and provides practical guidance which will help to ensure that the School complies with the Data Protection Act 1998 (the Act) and anticipates the General Data Protection Regulations 2018 (GDPR) which became law on 25th May 2018.
3.1 Personal data is:
3.2 Sensitive personal data is:
3.4 The Data Controller:
The company is the Data Controller and is responsible for determining the purposes of its use of data - what data it gathers and how this information is used. As the Data Controller the company is responsible for complying with the Act.
3.5 The Information Security Officer:
The company has appointed one of the Directors as its Information Security Officer, responsible for day to day compliance with this Policy. She can be contacted at Unit D129, The Literacy Tree, 40, Martell Road, London SE21 8EN or at firstname.lastname@example.org
4.1 The company shall only process personal data for specific and legitimate purposes. These are:
4.2 The company shall not hold unnecessary personal data, but shall hold sufficient information for the purpose for which it is required. The company shall record that information accurately and shall take reasonable steps to keep it up-to-date. This includes an individual's contact and medical details.
4.3 The company shall not transfer personal data outside the European Economic Area (EEA) without the data subject's permission unless it is satisfied that the data subject's rights under the GDPR will be adequately protected and the transfer has been approved by the Information Security Officer.
4.4 When the company acquires personal information that will be kept as personal data, the company shall be fair to the data subject and fair to whoever provides the information (if that is someone else) in that their data will be handled and safeguarded in compliance with the GDPR.
4.5 The company shall only keep personal data for as long as is reasonably necessary and in accordance with the retention and disposal guidelines set out in the Privacy Statement (April 2018)
4.6 Disclosing personal data outside of the company: Sharing personal data with others is often permissible so long as doing so is fair and lawful under the GDPR. See our Privacy Statement (April 2018)
5.1 Definition: A data breach is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure or access to personal data.
5.2 Reporting obligations: Any actual data breach or alleged data breach must be reported to the Information Security Officer as soon as it is discovered, whatever time that might be, to enable its circumstances to be