Introduction
The Data Protection Act 2018 (“DPA 2018”) and the General Data Protection Regulation (“GDPR”) impose certain legal obligations in connection with the processing of personal data. We recognise that our colleagues will be keen to understand how GDPR may affect the services that we provide and our compliance with GDPR.
We already have policies, processes and IT security in place to safeguard personal data and to comply with the requirements of the existing Data Protection Act 1998.
The actions that we have already taken to be ensure compliance include:
1. We have completed the 12 steps recommended by the Information Commissioner’s Office (ICO).
2. Completed data audits across the organisation
3. Conducted an audit of suppliers who process personal data on our behalf
Requesting personal data we hold about you (subject access requests)
We have an established process to deal with SARs and we will be able to respond to the requests in line with the requirements of GDPR
Reporting of Data Breaches
We have an established process to report breaches and we will be able to respond to the breach notification requirements under GDPR
Putting things right (the right to rectification)
You have a right to obtain the rectification of any inaccurate personal data concerning you that we hold. You also have a right to have any incomplete personal data that we hold about you completed. Should you become aware that any personal data that we hold about you is inaccurate and/or incomplete, please inform us immediately so we can correct and/or complete it.
Deleting your records (the right to erasure)
You have a right to have the personal data that we hold about you erased. Further information is available on the ICO website (www.ico.org.uk). If you would like your personal data to be erased, please inform us immediately.
Data Retention Period
We destroy correspondence and other papers that are more than seven years old (six plus present) from the end of the relevant period.
Transfers of personal data outside the EEA
For security purposes, our Data is encrypted using AES 256-bit encryption and then backed up to USA cloud based elephant drive using a 128-bit SSL secured channel. The organisation is an active participant of the Privacy Shield Framework. Some data is stored in Microsoft 365 One Drive – OneDrive and SharePoint Online also use file-level encryption to encrypt data at rest. Office 365 moves beyond a single encryption key per disk to deliver a unique encryption key so that every file stored in SharePoint Online—including OneDrivefolders—is encrypted with its own key.
Complaints
If you have requested details of the information we hold about you and you are not happy with our response, or you think we have not complied with the GDPR or DPA 2018 in some other way, you can complain to us. Please send any complaints to Clive Loveday, ID Education, c/o Acc-Unique Solutions Ltd, 4 Albany Road, Harborne, Birmingham, B17 9JX.
If you are not happy with our response, you have a right to lodge a complaint with the ICO (www.ico.org.uk).