Privacy Policy
Introduction:
Tutor Tailor will need to collect information about clients, tutors, applicants and students. There will also be times where data is required from external organisations who we deal with. This policy ensures that all legal data protection guidelines are followed and includes how we use, store and handle data.
GDPR Article 4 defines Personal Data as any information that relates to an identified or identifiable living individual who can be identified directly or indirectly from the information.
Why this policy exists:
Tutor Tailor protects the rights of both employees and clients to ensure that there are no data breaches. The company is transparent about its processes and it is a mandatory requirement that all tutors and clients adhere to the acceptable usage policy. The policy ensures:
- No breach of confidentiality
- Choice for individuals regarding the handling of their data
- No reputational damage
Tutor Tailor will hold and handle data for:
Tutors, clients, client enquiries, tutor applications, students,
Type of information and data stored:
- Personal (name, NI number etc)
- Characteristics (gender, age etc)
- Work record and qualifications
- Relevant medical information
- Safeguarding information
- Assessment information for students
- Individual tutor reports
- Addresses
- Payroll information
- Bank details held through Stripe
The Data Protection Act 1998 sets out the regulations for how all companies and organisations collect, handle and store information, whether it be electronically or on paper. Tutor Tailor’s administration is electronic and we ask that no information is stored on paper.
The principles of the act state that data must:
- Be processed fairly and lawfully
- Be obtained only for specific, lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection
Tutor Tailor general guidelines:
- Data should be collected and stored electronically using TutorCruncher. If any data has been written on paper, it should be shredded immediately after transfer to electronic storage
- Strong passwords should be used for personal login area
- Data should not be disclosed to anyone outside of the organisation, either formally or informally
- Data should be regularly reviewed and updated. If no longer required, it should be disposed of securely
- If any staff is unsure about any of our data protection processes, they must ask for further clarification
Data storage:
- All data should be stored electronically using Tutor Cruncher’s CRM system. If, for any reason, data has been stored on paper, it must be filed in a locked unit
- Any printouts, including students’ work, should be disposed of when finished with
- Data stored on external devices, such as USB sticks or a CD should be locked in a secure unit
- All efforts should be made to ensure that software and servers are protected from hackers or viruses
- Personal data will not be stored for any longer than necessary
- Unattended computers should always be locked
Data use:
- Only required data should be collected
- Data should only ever be used for its intended purpose
Transfer limitation:
Personal data shall not be transferred to a country outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data as determined by the European Commission or where the organisation receiving the data has provided adequate safeguards.
Processing means anything done with personal data, such as collection, recording, structuring, storage, adaptation or alteration, retrieval, use, disclosure, dissemination or otherwise making available, restriction, erasure or destruction. These may be provided by a legally binding agreement between public authorities or bodies, standard data protection clauses provided by the ICO or certification under an approved mechanism.
This means that individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. It may also be possible to transfer data where the data subject has provided explicit consent or for other limited reasons.
Withdrawal of consent:
Data subjects must be easily able to withdraw consent to processing at any time and withdrawal must be promptly honoured. Consent may need to be reviewed if personal data is intended to be processed for a different and incompatible purpose which was not disclosed when the data subject first gave consent.
Individual rights:
Staff as well as any other ‘data subjects’ have the following rights in relation to their personal information:
- To be informed about how, why and on what basis that information is processed
- To obtain confirmation that personal information is being processed and to obtain access to it and certain other information, by making a subject access request
- To have data corrected if it is inaccurate or incomplete
- To have data erased if it is no longer necessary for the purpose for which it was originally collected/processed, or if there are no overriding legitimate grounds for the processing (‘the right to be forgotten’)
- To restrict the processing of personal information where the accuracy of the information is contested, or the processing is unlawful .
- In limited circumstances to receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format
- To withdraw consent to processing at any time (if applicable)
- To request a copy of an agreement under which personal data is transferred outside of the EEA.
- To object to decisions based solely on automated processing, including profiling
- To be notified of a data breach which is likely to result in high risk to their rights and obligations
- To make a complaint to the ICO or a Court.
Data accuracy:
- Any data collected should be accurate, regularly reviewed and updated if required
Subject Access Requests:
- Any individual who has shred data with Tutor Tailor has the right to access that data
- All persons have the right to ask how Tutor Tailor has used any data relating to them
- Any subject access requests must be made by email
- Tutor Tailor will always verify the identity of any persons making such a request
Disclosing data for any other use:
- Tutor Tailor will only disclose information to law enforcement agencies if requested
Providing information:
All individuals who share data with Tutor Tailor will be told how their data is being used and must give permission
GDPR:
Tutors will make contact with clients through TutorCruncher emails rather than a personal email address. No information will be shared outside of the agency or via social media. If the client contacts the tutor directly, Tutor Tailor will need to approve the contact before communications commence.
Tutor Tailor uses the secure finance system Stripe and will not take payment outside of this system.
A student aged between 12 and 16 would be required to give consent themselves and, in addition, consent should also be obtained from the student’s parent or guardian. In the case of students under the age of twelve consent of a parent or guardian will suffice. Individuals aged 18 or older may give consent themselves.
Data breaches:
A data breach may take many different forms:
- Loss or theft of data or equipment on which personal information is stored
- Unauthorised access to or use of personal information either by a member of staff or third party
- Loss of data resulting from an equipment or systems (including hardware or software) failure
- Human error, such as accidental deletion or alteration of data
- Unforeseen circumstances, such as a fire or flood
- Deliberate attacks on IT systems, such as hacking, viruses or phishing scams
- Blagging offences where information is obtained by deceiving the organisation which holds it
Any breaches must be reported immediately. Serious breaches will be reported to the Information Commissioner’s Office