INTRODUCTION / PURPOSE

One of the main values of the school is the privacy and confidentiality of personal information held of members of the school community, especially those whose personal information we collect, process and store. Within that commitment, the protection of our students’ personal information is considered essential.

The purpose of this policy is to be transparent about:
● How and why we collect personal information, how we may use that information and with whom we may share it and why.
● The measures we take to protect the security of personal information that we collect, process and store.
● How families can contact the school to obtain answers to questions about our privacy practices and how parents and students can exercise their rights over their personal information.

The school is strongly committed to compliance with all relevant regulations and accepted best practices that pertain to the protection of personal information, child protection, and child protection.

SCOPE

This policy is intended to provide information about and guidance on the handling of personal information belonging to parents and students that is collected, processed and stored by the school.

It describes the type of personal information that the School collects, how the information is handled, how and to whom the information is disclosed, and how the information may be accessed.

The School handles personal information about current, past and prospective students and their parents, legal representatives or guardians (referred to in this policy as “parents”) as well as the any third parties who, with their consent, communicate their personal information.

School employees, parents and students are all encouraged to read this policy and understand the School’s obligations to its entire community.

TERMS & DEFINITIONS

● Personal information: Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. It can be applicable to a single individual or can be linked either directly or indirectly to an individual. Information may also referred as “data” or “personal data”.
● Employment information: Personal information collected for processing of student application and pass (if applicable).
● Personal information owner: Means the person identified by the personal information, e.g. full names, date of birth, profession, title, contact addresses, email addresses, telephone numbers, ID number, passport number.
● Sensitive personal information: Any information related to the private life or personal privacy of the personal information owners, or information on the family privacy of an individual such as mail, telephone, private electronic information exchange of an individual. It could also be referred to personal secrets, e.g. medical records, credit card numbers and other personal secrets. It includes health information, physical and behavioural features of a person, biometric information which allows the identification of that person (e.g., fingerprints, etc.) and information related to a natural person’s genetic characteristics, whether inherent or acquired, which offers information about the mental or physical health of that person. Sensitive personal information is also related to religious or other beliefs, sexual orientation, health, race, ethnicity, criminal records, etc.
● Health information: Any information or opinion about a person’s physical, mental or psychological health or disability. This may include an opinion about a person’s health status and medical history, special needs, immunisation status and allergies, as well as counselling records.
● Individual: The identified or identifiable natural person to whom the information refers.
● Responsible party: Determines the purpose(s) for collection and processing of personal data, the types of personal information and the legal basis for that processing.
● Operator: Is responsible for processing personal information, but only on the explicit written instructions of the responsible party.
● Information handling: Any action relating to personal information held e.g. the electronic or manual ordering, storing, adding, amending, copying, manipulating, reporting, printing or retrieving personal information held electronically or in a manual paper filing system
● Data Protection Officer (DPO): An independent professional and a member of the staff whose responsibility is to ensure that the school is correctly protecting individuals’ personal information according to the current legislation.
● Confidential information: Is that information that must be kept secret and private.
● Consent: it must be understood as any declaration of will “freely given, specific, informed and unambiguous” which indicates the individual’s wishes by which the individual, either by a statement or by a clear affirmative action, confirms agreement to the handling of personal information by the school for one or more specific purposes.
● Information handling: Any operation performed on personal information, such as collection, editing, use, storage, transfer, modification, deletion, sharing and publishing, whether by automated or manual means.
● Data Protection Officer (“DPO”): The person appointed by the school whose responsibility is to ensure that the school is correctly protecting individuals’ personal information in accordance with current legislation and school policy.
● Pseudonymisation: The handling of personal information in such a manner that the personal information can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal information is not attributed to an identified or identifiable natural person.
● Representative: a person which acts on behalf of an individual, e.g., legal tutor of a minor.
● Third party: is any natural or legal person, public authority, agency, or any other body other than the individuals that are authorised to handle personal information.
● Legitimate interests: are referred to the rights and freedoms of those individuals which could be affected by the handling of personal information carried out by the school. The purposes of the handling of personal information must be based on legal ground.
● Rights of the individual: The personal information owner shall have rights to require the school to update, change and delete his/her personal information that the school collects, processes and stores; and to cease the supply of his/her personal information to a third party.
● Individuals affected: This concept is related to the owners of the personal information that has been damaged. In the school context, it may be referred to parents, students, employees, etc.
● Minor: Are persons under 18 years of age. In this case, minors would need parental supervision and consent on their behalf.
● Parental responsibility: Means the legal rights, duties, powers, responsibilities and authority a parent has for a child and the child’s education. A person who has parental responsibility for a child has the right to be informed and make decisions about their academic information, care and upbringing. Important decisions in a child’s life must be agreed with anyone else who has parental responsibility.

DATA PROTECTION OBLIGATIONS

Under the Personal Data Protection Act (PDPA), the school has the following obligations to safeguard personal data entrusted to the school.

1. Accountability Obligation: The school must undertake measures to ensure that the school meet their obligations under the PDPA such as making information about its data protection policies, practices and complaints process available upon request and designating a data protection officer (DPO) and making the business contact information available to the public.
2. Notification Obligation: Notify individuals of the purposes for which your organisation is intending to collect, use or disclose their personal data.
3. Consent Obligation: Only collect, use or disclose personal data for purposes which an individual has given his/her consent to. The school will obtain consent from the individuals for the handling of their data, basically for collection, use or disclosure except where the law states exemptions, grants permission, or creates a requirement for collection, use, or disclosure of personal information.
   o Requirements for consent to collection, use or disclosure of personal information may vary depending on the circumstance and on the type of personal information that is intended to be collected, used or disclosed.
   o In determining whether consent is required and, if so, what form of consent is appropriate, the school will take into account both the sensitivity of the personal information and the purposes for which the School will use the information.
   o Consent may be express, implied (including through use of “opt-out” consent where appropriate) or deemed. For example, if an individual provides to the school his/her mailing address and requests personal information regarding a particular service, consent to use the address to provide the requested information may be implied.
   o On giving reasonable written notice to the school, an individual may withdraw consent to the collection, use or disclosure of his or her personal information. Upon notice of withdrawal of consent, the school will notify the individual of the likely consequences of withdrawing his or her consent and, except where otherwise required or permitted by law, the school will stop collecting, using, or disclosing the personal information as requested.
   o If a person provides the school or its service providers or agents with personal information about an individual, the person represents that it has all necessary authority and/or has obtained all necessary consents from such individual to enable the school to collect, use and disclose such personal information for the purposes set forth in this Policy.
4. Purpose limitation obligation: The school only collects personal information the purposes that a reasonable person would consider appropriate under the given circumstances and for which the individual has given consent.

The school may not, as a condition of providing a product or service, require the individual to consent to the collection, use or disclosure of his or her personal data beyond what is reasonable to provide that product or service.

5. Accuracy obligation: The school takes reasonable efforts to ensure that the personal data collected is accurate and complete, especially if it is likely to be used to make a decision that affects the individual or to be disclosed to another organisation.
6. Protection obligation: Reasonable security arrangements have to be made to protect the personal data in the school’s possession to prevent unauthorised access, collection, use, disclosure or similar risks. Personal information shall be kept secured and protected by the technical and organisational measures which ensure an appropriate degree of security, integrity, confidentiality, and privacy.
7. Retention limitation obligation: Cease retention of personal data or dispose of it in a proper manner when it is no longer needed for any business or legal purpose.
8. Transfer limitation obligation: Transfer personal data to another country only according to the requirements prescribed under the regulations, to ensure that the standard of protection is comparable to the protection under the PDPA, unless exempted by the PDPC.
9. Access and correction obligation: Upon request, the school has to provide individuals with access to their personal data as well as information about how the data was used or disclosed within a year before the request.

The school is also required to correct any error or omission in an individual’s personal data as soon as practicable and send the corrected data to other the school to which the personal data was disclosed (or to selected the school that the individual has consented to), within a year before the correction is made.

10. Data breach notification obligation: In the event of a data breach, the school must take steps to assess if it is notifiable. If the data breach likely results in significant harm to individuals, and/or are of significant scale, the school are required to notify the PDPC and the affected individuals as soon as practicable.
11. Data portability obligation: At the request of the individual, the school are required to transmit the individual’s data that is in the organisation’s possession or under its control, to another organisation in a commonly used machine-readable format.

WHAT INFORMATION DOES THE SCHOOL COLLECT?

The school collects the following type of information:

1. Personal information about students, their parents or tutors and their representatives, provided directly by them or their authorised persons.
2. Information about volunteers, visitors, contractors, customers, advisors as well as those of its affiliates and third-party agents engaged in supporting the school business, provided directly by them or their representatives.
3. Information about third parties or potential students or clients interested in the school services and who provided their consent to the processing of their personal information for the purposes set forth in this policy.

HOW DO WE COLLECT PERSONAL INFORMATION

1. Personally, and over the phone: from students and their family, staff, visitors, contractors, and others.
2. From electronic and paper documentation: including emails, invoices, enrolment forms, letters to the school, medical forms, consent forms (for example: enrolment, extracurricular activities, etc), our school’s websites or the school controlled social media.
3. Online tools: such as apps and other software used by the school.
4. Photographs or other audio-visual contents for educational or commercial purposes with due information and consent of the individual.
5. CCTV cameras located at the school.
6. Geolocation integrated systems in means of transport (if applicable).

INDIVIDUALS’ RIGHTS OF PROTECTION OF PERSONAL INFORMATION

The school recognises the following rights of individuals to their personal information:

1. The right to be informed: Individuals have the right to be informed about the collection and use of their personal data. The school must provide information, at the time it collects information from them, about the purposes for processing their personal information, data retention periods and who it will be shared with. This is called ‘privacy information’.
2. The right of access: Individuals have the right to access their personal information, this is commonly referred to as “subject access request”. It can be made verbally or in writing and it is free of charge.
3. Right to rectification: Individuals have the right to obtain without undue delay:
   a. The rectification of inaccurate personal information.
   b. To have incomplete personal information completed, including by means of providing a supplementary statement.
4. Right to delete: Individuals have the right to obtain the erasure of personal information if one of the following grounds applies:
   a. The personal information is no longer necessary in relation to the purposes for which they were collected or otherwise processed.
   b. The personal information has been collected without consent or the individual wishes to withdraw consent.
   c. The individual wishes to exercise their right to object to the handling of personal information and there are no overriding legitimate grounds for it.
   d. The personal information has been unlawfully processed.
   e. The personal information needs to be erased for compliance with a legal obligation.
   f. The personal information has been collected in relation to online shopping.
5. Right to restriction of processing: The school will implement and maintain appropriate procedures to assess whether an individual’s request to restrict the handling of personal information can be implemented. Where the request for restriction of processing is carried out, then the school will write to the individual confirming that the restriction has been implemented and when the restriction is lifted.
6. Right to information portability: The school handles personal information because there is a legal basis for it. Where the school has collected personal information by consent or by contract, then individuals have the right to receive the information in electronic format or to give the file to another School.
7. Right to object: Individuals have the right to object to the handling of personal information in specific circumstances. Where such an objection is received, the school will assess each case on its merits.
8. Right not to be subject to automated decision making: Individuals have the right not to be subject to a decision based solely on automated processing, where such decisions would have a legal or significant effect concerning the individual. At present there is no automated processing within the school. If in the future such processing is undertaken, the school will ensure that where systems are implemented, an appropriate right of appeal is available.
9. Right to complain: The school is committed to provide a complaints process whereby individuals can contact the DPO directly. The DPO will process the complaint to a satisfactory conclusion for both parties.
10. Right to withdraw your consent: Individuals have the right to withdraw consent freely and at any time. The withdrawal of consent shall not affect the lawfulness of the handling of personal information based on consent before its withdrawal.

SUBJECT ACCESS REQUEST PROCEDURE

An individual can exercise the rights at any time by sending a written request to the School’s DPO and attaching a proof of identity.

If a member of the school staff or the DPO receives an information request, the “Exercise of Rights on Personal Information Form” will be sent to the requester in the first instance to be completed and returned. This form and the policy must be available in a common folder of the school or it will be provided by the DPO.

The information or the right must be provided or complied to the individual without delay, and at the latest, within one month of receipt of the request. This request is completely free unless it is manifestly unfounded (i.e. when the individual clearly has no intent to exercise their right of access, such as when the request is an excuse to make unsubstantiated accusations against the school) or excessive (i.e. when the request overlaps with a recently submitted “Exercise of Rights on Personal Information Form”).

WHY THE SCHOOL NEEDS TO PROCESS PERSONAL INFORMATION

Consent is the basis for handling of personal information and it must be freely given, specific, informed, unambiguous and granted under solid information that the school guarantees at all times. Consent is our legitimation for the handling of personal information.

In order to carry out ordinary duties to students and parents, the school may process a wide range of personal information about individuals (including current, past and prospective students or parents) as part of its daily operation. Some of this activity needs to be carried out in order to fulfil their rights, duties or obligations, including those developed under a contract with parents or students.

Other uses of personal information will be made in accordance with the school’s legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impact on individuals, and provided it does not involve special or sensitive types of information. The school expects that the following uses may fall within that category of “legitimate interests”:

1. For the purposes of student selection (and to confirm the identity of prospective students and their parents);
2. To provide education services, physical training or spiritual development, career services, extra-curricular activities and monitoring students’ progress and educational needs.
3. To provide school transport services, catering, specialised care, etc.
4. Maintaining relationships with Alumnae and the School community, including direct marketing or fundraising activity.
5. For the purposes of donor due diligence, if applicable, and to confirm the identity of prospective donors and their background and relevant interests.
6. For the purposes of management planning and forecasting, research, and statistical analysis, including that imposed or provided for by law (such as diversity or gender pay gap analysis and taxation records).
7. To enable relevant authorities to monitor the school´s performance and to intervene or assist with incidents as appropriate.
8. To give and receive information and references about past, current and prospective students, to/from any educational institution that the student attended or where it is proposed they attend; and to provide references to potential employers of past students.
9. To enable students to take part in national or other assessments, and to publish the results of public examinations or other achievements.
10. To safeguard students’ welfare and provide appropriate pastoral care.
11. To fulfil the school´s contractual and legal obligations.
12. To monitor (as appropriate) use of the School’s ICT and communications systems.
13. To make use of photographic images of students in the school´s publications on the school´s website and (where appropriate) on the school’s social media channels.
14. For security purposes, including CCTV.
15. Where otherwise reasonably necessary for the school’s purposes, including to obtain appropriate professional advice and insurance for the school.

In addition, the school may need to process a special category of personal information (concerning health or religion) or criminal record information in accordance with rights or duties imposed on it by law, including as regards safeguarding and employment, or from time to time by explicit consent where required. These reasons may include:

• To safeguard students’ welfare and provide appropriate pastoral (and where necessary, medical) care and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual’s medical condition where it is in the individual’s interests to do so: for example, for medical advice, social services, insurance purposes or to organisers of school trips.
• To provide educational services in the context of any special educational needs of a student.
• To provide spiritual education in the context of any religious beliefs.
• In connection with employment of its staff, for example welfare or pension plans.
• For legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with the legal obligations and duties of care.

TYPES OF PERSONAL INFORMATION HANDLED

This will include by way of example:

1. Names, addresses, telephone numbers, e-mail addresses and other contact details.
2. Vehicle details (for those who use our car parking facilities).
3. ID numbers, passports, insurance, background checks.
4. Bank details and other financial information, e.g. about parents who pay fees to the School.
5. Past, present and prospective students’ academic, disciplinary, admissions and attendance records (including information about any special needs), employment information and examination scripts and marks.
6. Past, present and prospective parents’ employment information, family status, documents issued by a Court or by a public authority, powers of attorney, etc.
7. Where appropriate, information about individuals’ health, and contact details for their next of kin.
8. References given or received by the school about students, and information provided by previous educational establishments and/or other professionals or the school working with students.
9. Images of students (and occasionally other individuals) engaging in the school activities, and images captured by the school´s CCTV system (in accordance with the school’s policy on taking, storing and using images of students).
10. Parents or legally authorised persons can also accede to the location of the student in the bus transport service when the phone app or similar is used for the correct execution of such service.

The school also processes personal information from its employees, suppliers, interns, volunteers, officers, agents, contractors, advisors as well as those of its affiliates and third party agents engaged in supporting the school. The purposes for which the school use personal information of these individuals may include, among others:

• Administering the individual’s employment contract (including background checks).
• Insurance purposes.
• Marketing purposes.
• To satisfy the school’s legal, moral and fiduciary obligations, specially related to child safeguarding and protection.

TRANSFER OF INFORMATION BETWEEN OUR SCHOOLS

When a student has been accepted at, and is enrolling to another school, the school transfers information about the student to that new school. This may include copies of the student’s school records and health information.

This transfer of personal information enables the new school to continue to provide the services for the education of the student, to support the student’s social and emotional wellbeing and health and to fulfil legal requirements among other obligations.

As the School is integrated into the XCL Education international network of schools, it is possible for the student to study at any of the group’s schools, so the communication of personal information between the Schools will be necessary, including international transfer of personal information if appropriate, within the relevant legal conditions.

STORING AND SECURING INFORMATION

The School shall use the appropriate technical and organisational measures to ensure the security, confidentiality, integrity and privacy of the personal information, and the prevention of unauthorised access or unlawful processing against accidental loss, destruction or damage of the files.

UPDATING PERSONAL INFORMATION

The school endeavours to ensure that the information that we handle is always accurate, complete and up to date. Individuals that wish to update their information, may do so by contacting the Admissions Department and the student’s homeroom teacher, as relevant.

SHARING INFORMATION

The school will only share your information with third parties on a need-to-know basis and with your consent except in cases relating to legal requirements, safeguarding of children, criminal activity, or if required by legally authorised bodies (e.g., courts, police, social services, etc).

If the school decides to share information without parental consent and strictly under the cases stipulated by Law, we will record this in the student’s file, clearly stating our reasons.

The school will only share relevant information that is accurate and up to date. Our primary commitment is to the safety and well-being of the students in our care.

Some limited personal information is disclosed to authorised third parties we have engaged to process it, as part of the daily operation of our business, for example to run our payroll and accounts, legal advisors, etc.

PARENTAL RESPONSIBILITY

In cases of shared parental rights, regardless of who has legal custody, both parents have the right to receive the same information about the circumstances that occur in their child’s educational process, which obliges the school to guarantee the duplication of the information unless a judicial resolution is provided that establishes the deprivation of parental rights to any of the parents to some type of criminal measure prohibiting communication with the minor and / or his/her family.
All conflicts that could arise between parents in this regard must be brought before a family and juvenile court.

Parents will have the right to access to the academic and educational information of their children, even if they are of legal age or emancipated, as long as they incur alimony, or education expenses, or food expenses, in which case the legitimate right of information of the parents will prevail on the privacy rights of the student of legal age or emancipated.

SENDING COMMERCIAL COMMUNICATIONS

With consent, the school may send information or materials to parents and students, such as prospectuses, leaflets, newsletters, etc by e-mail or postal mail.

Individuals may withdraw consent at any time by informing the school in writing. The school will then take reasonable steps to remove the personal information from the relevant databases and distribution lists.

CONSENT TO USE IMAGES

The school emphasises the importance of celebrating student success and as such photos and videos of students are often used to showcase their skills and talents, as well as the day-to-day life of the school.

The school is committed to the protection of the images of students and we take compliance with privacy and protection of children very seriously, especially regarding consent to the publication of audio-visual contents of students, staff and other people who may appear in our publications.

At the beginning of the school year, the school requests authorisation to share students’ audio visual content on the School websites, marketing, social media channels, press and other promotional channels. Students of legal age can give their consent by themselves without parental authorisation without prejudice to parental supervision.

The school will never disseminate any photograph or video without parent or student consent.

The school is not responsible for any images taken and shared by parents or students without their express consent. In addition, the school does not authorise the use of the contents of its publications by third parties nor is the school responsible for any unauthorised uses.

The school will seek consent from parents to use the image/s and information once a year (as an appendix to the student contract) in relation to publicity, which covers the use of photos and names in the school yearbook.

To preserve the safety and privacy of students and parents in the school’s facilities, it is strictly forbidden to record videos or take photographs within the school campus except in specific organised events or circumstances in which it is permitted and with the limitations set forth above.

PERIOD OF RETENTION

Personal information will only be retained for the period of time required by law or if not required by law, to fulfil the purpose for which it was collected. Once the personal information is no longer required or permitted to be retained for legal or business purposes, it will be destroyed or made anonymous by pseudonymisation.

ACCURACY AND SECURITY OF PERSONAL INFORMATION

The school will endeavour to ensure that all personal information held in relation to an individual is as up to date and accurate as possible. Individuals must notify the school at least on an annual basis of any changes to information held about them. Responsibility for changes in information relating to students rests with the parents.

The individual has the right to request that any inaccurate or out-of-date information about them is erased or corrected.

The school will take appropriate technical and organisational steps to ensure the security of personal information about individuals, including policies around use of technology and devices, and access to the school´s systems. School employees will be made aware of this policy and shall receive relevant training.

COOKIES

The School website tracks web browsing patterns to better understand how our website is being used. This generic information is collected through the use of session cookies. The cookies used by our websites are associated with an anonymous user and their computer, and they are not related to the user’s personal information.

The cookies used in our websites are all temporary, with the sole purpose of making future transmission more efficient. In no case will the cookies be used in order to collect personal information.

IP ADDRESSES
The website servers will automatically be able to detect the IP Address and domain name used by the user. All of this information is collected in a file about server activity that allows subsequent handling of personal information with the aim to collect statistical measurements only, which show the number of printed pages, the number of visits to web services, the reasons of the visit, the point of access, etc.

SECURITY
The website uses information security technologies which are accepted throughout the industry, such as Firewalls, methods to control access and cryptic mechanisms. All of these have the objective of preventing unauthorised access to the information. In order to carry out these purposes, the user/ client accepts that the provider collects information for purposes of authentication for access control.

The school may update the cookies policy from time-to-time by posting a new version on the website.

EDUCATIONAL APPLICATIONS

The school uses a school management information system (MIS) as well as different educational and learning platforms to complement teaching (SAAS / cloud computing services). These platforms store and process sensitive information of parents, teachers, and students strictly for internal and educational purposes.

The teachers request, prior to their use, authorisation from the school. Each authorisation request involves the assessment of the application from the point of view of protection of personal information and information security as well as the subsequent authorisation or denial by the school.

All users of these platforms have restricted access through industry standard password protection.

The use of such educational platforms does not imply at any moment the transmission of a student’s personal information to the application’s service provider so that they can use such personal information for their own purposes or store the permanently. The school will always retain its right to access to a student’s personal information and its deletion when deemed appropriate.

These platforms are in strict compliance with the legislation of protection of personal information and assure the adoption of sufficient guarantees in case there is an international transfer of information.

‍