Data Protection Policy

Background


The primary purpose of current data protection legislation is to protect individuals against possible misuse of information about them held by others. It is the policy of Oxbridge International Summer School (OISS) to ensure that all members of OISS, its staff and volunteers are aware of the requirements of data protection legislation with regards their individual responsibilities, and to ensure that all reasonable measures are taken to secure the personal data of our clients, volunteers, and staff.


Oxbridge International Summer School is a programme run by Oxbridge Interviews Ltd.


The Data Protection Act (“The Act”) covers personal data, whether held on computer or in certain manual files.

Oxbridge International Summer School (“OISS or “the data controller” or “the controller”) is obliged to abide by the data protection principles embodied in the Act. These principles require that personal data shall:


  1. be processed fairly and lawfully;
  2. be held only for specified purposes and not used or disclosed in any way incompatible with those purposes;
  3. be adequate, relevant and not excessive;
  4. be accurate and kept up-to-date;
  5. not be kept for longer than necessary for the particular purpose;
  6. be processed in accordance with data subject's rights;
  7. be kept secure;
  8. not be transferred outside the European Economic Area unless the recipient country ensures an adequate level of protection.

The Act provides individuals with rights in connection with personal data held about them. It provides individuals with the right to access data concerning themselves (subject to the rights of third parties). It also includes the right to seek compensation through the courts for damages and distress suffered by reason of inaccuracy or the unauthorised destruction or wrongful disclosure of data.


Under the terms of the Act, processing of data includes any activity to do with the data involved. All staff or other individuals who have access to, or who use, personal data, have a responsibility to exercise care in the treatment of that data and to ensure that such information is not disclosed to any unauthorised person. Examples of data include address lists and contact details as well as individual files. Any processing of such information must be done in accordance with the principles outlined above. In order to comply with the first principle (fair and lawful processing), at least one of the following conditions must be met [“Schedule 2”]:


  • the individual has given his or her consent to the processing;
  • the processing is necessary for the performance of a contract with the individual;
  • processing is required under a legal obligation;
  • processing is necessary to protect the vital interests of the individual;
  • processing is necessary to carry out public functions;
  • processing is necessary in order to pursue the legitimate interests of the controller or third parties (unless it could prejudice the interests of the individual).
  • In the case of sensitive personal data, which includes information about racial or ethnic origins; political beliefs; religious or other beliefs; trade union membership; health; sexual orientation; criminal allegations, proceedings or convictions, there are additional restrictions and explicit consent will normally be required.

In relation to security (Principle 7), the Data Controller (OISS) must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data and sets out specific considerations for ensuring security. Staff and other individuals should be aware that guidelines and regulations relating to the security of manual filing systems and the preservation of secure passwords for access to relevant data held on computer should be strictly observed.


Staff should also note that personal data should not normally be provided to parties external to OISS.


A failure to comply with the provisions of the Act may render OISS, or in certain circumstances the individuals involved, liable to prosecution as well as giving rise to civil liabilities. Individuals are encouraged to familiarise themselves with the general aspects of Data Protection contained in OISS guidelines to the Act.



Principles to which OISS commits



OISS commits to comply with the principles of the Data Protection Act reproduced below:



First Principle



Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.


Amongst the key conditions in Schedule 2 are that either the data controller has the consent of the data subject or the processing is necessary to fulfil a contract with the data subject or to comply with other legal obligations.


Special conditions apply to sensitive personal data, which is defined as information relating to race or ethnic origin, political opinions, religious beliefs, physical/mental health, trade union membership, sexual life or criminal activities. These data cannot be processed in most circumstances unless the data subject has given explicit consent to the processing, or the processing is necessary for strictly limited purposes which are defined (e.g. the administration of justice) [“Schedule 3”].



Second Principle



Personal data shall be obtained for one or more lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.


It is important to be aware of the discipline that this implies. Material in a file may in the normal course of events be used for a number of purposes. It is now clear that use must adhere strictly to the purposes to which the attention of the data subject has been drawn.


Thus in future information obtained for the purpose of student records cannot be used for the purpose of, e.g., fundraising, marketing, unless the student has given prior consent.



Third Principle



Personal data shall be adequate, relevant and not excessive for the purpose or purposes for which they are processed.


This implies not only that compiling too much information should be avoided, but also that sufficient information should be obtained for the proper performance of the operation.



Fourth Principle



Personal data shall be accurate and, where necessary, kept up to date.


This principle requires that OISS take reasonable steps to ensure the accuracy of data or, where the data subject has expressed a view that the data is inaccurate, that the data records that view.



Fifth Principle



Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.



Sixth Principle



Personal data shall be processed in accordance with the rights of data subjects under this act.



Seventh Principle



Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.


Thus data must be kept secure. It is the responsibility of the data controller to take reasonable steps to ensure the reliability of any employees who have access to personal data. In addition, if OISS is using a third party processor, then they must ensure that there is a contract in place with that data processor which provides for appropriate security measures.


OISS faculties should consider the way in which manual as well as electronic data are held, to ensure that they comply with the requirements as to security.



Eighth Principle



Personal data shall not be transferred to a country or territory outside the European Economic Area (the 27 EU member states together with Norway, Iceland and Liechtenstein) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to processing of personal data. This principle does not apply where the data subject has given consent to the transfer or where the transfer is necessary for a contract with the data subject.


Of particular note is the fact that material placed on the world wide web is in effect available to any country and thus personal data should not be placed on the web unless the subject has consented (subject to very limited exceptions). The European Commission has now approved the US "Safe Harbor" arrangement, which will involve organisations in the States committing themselves to comply with a set of data protection principles. Commitment to "safe harbours" will provide an adequate level of protection for transfers of personal data to the US from EU Member States. This will of course provide a basis for compliance with the 8th Principle of the DP Act in the UK in relation to transfers to US organisations that have signed up to the scheme.



Definitions



Data controller is the person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.


Data subject means an individual who is the subject of personal data.


OISS is Oxbridge International Summer School, a programme run by Oxbridge Interviews Ltd.


Personal data means data which relate to a living individual who can be identified from that information, or from that and other information which is in the possession of or is likely to come into the possession of, the data controller. It includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual (subject to very limited exceptions).


Processing means obtaining, recording, holding or using the information or data (which includes, in relation to personal data, obtaining or recording the information to be contained in the data) or carrying out any operation or set of operation on the information or data. Under the new Act, processing is very widely defined, to the extent that guidelines produced by the Information Commissioner suggest that it is difficult to envisage any action involving data which does not amount to processing within this definition.


Sensitive data are defined as information relating to race or ethnic origin, political opinions, religious beliefs, physical/mental health, trade union membership, sexual life or criminal activities. Special conditions apply to the processing of this type of information, including an obligation to obtain the explicit consent of the individual (except in limited circumstances).


Third Party Information is information relating to another individual (other than the data subject) who can be identified by that information.



Oxbridge International Summer School Data Protection Guideline



OISS will comply with these principles by following the procedures below:



  • OISS only requests data from students, staff and volunteers which is necessary to carry out the functions of the summer school, but will require all the information necessary to be able to adequately protect the safety and well-being of, in particular, its students during the summer school

  • OISS will ask permission of students, staff and volunteers for their permission to use their personal data, and will explain what it will use it for

  • OISS will limit the amount of sensitive personal data which it asks of students, staff and volunteers. However OISS recognises that some sensitive personal data must be collected – namely, health or religious information about students, criminal convictions for staff and volunteers – and will seek explicit permission for this.

  • OISS will only use personal data for the purposes for which it was collected – i.e. data about students’ health will only be used to ensure their safety and well-being during the summer school, and not for any other purposes – i.e. sharing with a third party, etc.

  • OISS will keep all data up to date and provide easy channels (through online forms) for students, volunteers and staff to update their data

  • OISS will destroy personal data once students have left the programme, or once volunteers / staff have terminated their relationships with OISS, including shredding of paper files


  • OISS will take digital security of data held online very seriously. All documentation containing personal data will be password protected, and held on password protected computers. Any personal data saved to USB memory drive will be kept in a password protected document. USB memory drive, cheques and any other paper personal data will be kept in a lockable cash box or office when not in use.


  • Personal data will be accessible to the smallest possible number of individuals – the Oxbridge Interviews Ltd staff team, and OISS casual staff (housemistress and activity co-ordinators). All these staff will sign this data protection policy to indicate that they have read and understood it. Volunteers will have access to limited personal data, but not to any sensitive personal data, of students, but only for the duration of the summer school.

  • OISS will not share data with third party processors, without a contract in place to oblige the third party to adhere to the same standards of data protection.

  • Unattended computers will be password locked particularly when working in public areas

  • Staff and volunteer biographies will only be put on the OISS website / social media pages if consent has been given, and no sensitive personal data will be included in these biographies.

  • Volunteers’ contracts with OISS instruct volunteers not to share their own personal data with students or to share personal data about students with anyone outside Oxbridge International Summer School. Volunteers are informed that if they breach these regulations, their relationship with OISS will be terminated.

  • Student mobile numbers and email addresses will be used by OISS staff only for the purpose of carrying out the legitimate interests of the summer school – i.e. to organise the summer school and activities and to protect the safety and well-being of students. Student mobile numbers will not be given directly to volunteers – this contact will be mediated via OISS staff.

  • In no situation, apart from an emergency, should staff or volunteer home phone or personal mobile numbers be given to any students, although these may be shared among staff

  • Staff will keep their passwords private and alert the CEO immediately if they suspect someone has tampered with their account. Staff will use 2-step verification to protect access to all email accounts.

  • Only relevant staff members will have access to passwords, and passwords will be updated regularly

  • Staff should exercise caution when accessing shared documents and email accounts, making sure all passwords and personal data is protected

  • Staff will alert the CEO immediately if they suspect unauthorised or unlawful processing of any Oxbridge International Summer School data through email or in person

  • Staff will alert the CEO immediately if there is accidental loss or damage of personal data

  • Staff will be responsible for making sure all data held and used by Oxbridge International Summer School is accurate and up-to-date and will record changes/amend inaccuracies on relevant software (e.g.: MailChimp and Google Docs)

  • All notes on selection for staff and intern posts will be kept by the CEO once the selection process is complete for one year in a separate and password protected file.

  • Oxbridge International Summer School will only send CC emails if all recipients have agreed to share email addresses; if not Oxbridge International Summer School will use BCC function when sending group emails.

  • Copies of returned DBS disclosures will be handled in accordance with our DBS Policy

  • Student records will be kept for a maximum of one year after the service has been delivered

  • Oxbridge International Summer School will only use client personal data as agreed and will not share with third parties without express consent

  • Financial data is processed for Oxbridge International Summer School by Realex, Elavon, Google Checkout or Paypal, all of which are secure payment gateways. Client credit card details will never be written down

  • In the event of data compromise, the CEO will be informed immediately, and the CEO will decide whether to inform the relevant authorities


Monitoring & Review



  • This policy was reviewed by Stephanie Pope (Summer School Coordinator) on 20.3.14.

  • This policy was reviewed by Georgina Feary (Summer School Coordinator) on 02/02/2015

  • This policy was reviewed by Niamh Gordon (Events Coordinator) on 14/04/2016

  • This policy was reviewed by Zoe Tyndall (CEO) on 25/05/2016