Data Use and Management Policy
London Vesta College Ltd holds and manages data about individuals and organizations: we do this to provide our services to individuals and organizations. We recognize our fundamental need to ensure that this information is accurate and secure and go beyond the needs of any legislative requirements in this. The secure management of data is central to the way we work. In particular, this policy requires staff to ensure that the Data Controller be consulted before any significant new data processing activity is initiated, in order that the relevant compliance steps are addressed.
Definition of Personal Data
- Identification Number
- Location Data
- Online Identifier
- One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Examples of Personal Data
- Driver's License Number
- Home Address
- Telephone Number
- Facebook Profile
- IP Address
- Business Development Purposes
Business purposes include the following:
- Compliance with our legal, regulatory and corporate governance obligations and good practice.
- Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests.
- Ensuring business policies are adhered to.
- Operational reasons, such as recording transactions, training, ensuring the confidentiality of commercially sensitive information, security vetting.
- Investigating complaints.
- Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities, and staff absences, administration and assessments.
- Monitoring staff conduct and disciplinary matters.
- Marketing our business.
- Improving services.
The principles we apply
The Purpose-Limitation Principle
The Data Minimization Principle
The Accuracy Principle
Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the Data Controller.
You must also take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. If your personal circumstances change, please inform the Data Controller.
The Storage Limitation Principle
Once information is no longer needed it must be securely disposed of.
A data subject has a right to be forgotten and may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with that request. An erasure request can only be refused if an exemption applies.
The Integrity and Confidentiality Principle
The processing of all data must comply with one of the following bases:
- Necessity for a contract
- Legal Obligations
- Vital Interests
- Public Interest
- Legitimate Interests
Storing Data Securely
You must keep personal data secure against loss or misuse. Where other organizations process personal data as a service on our behalf, we will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third-party organizations.
Please comply with the following:
- In cases when data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it.
- Printed data should be shredded when it is no longer needed.
- Data stored on a computer should be protected by password.
- Data stored on CDs or memory sticks must be locked away securely when not being used.
- Any cloud storage system must be approved.
- Servers containing personal data must be kept in a secure location.
- Data should be regularly backed up in line with the company’s backup procedures.
- Data should never be saved directly to mobile devices such as laptops, tablets and smartphones.
All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
- Investigate the failure and take remedial steps if necessary.
- Maintain a register of compliance failures.
- Notify the Supervisory Authority of any compliance failures that are material either in their own right or as part of a pattern of failures.
Subject Access Request
Please note that individuals are entitled (subject to certain exceptions) to request access to information held about them.
If you receive a subject access request, you should refer that request immediately to the Data Controller.
Please contact the Data Controller if you would like to correct or request information that we hold about you. There are restrictions on the information to which you are entitled under applicable law.
Data requests by individuals or organizations
They can ask questions including:
- What information we hold about them and why.
- How to gain access to it.
Processing in Accordance with Individual Rights
Do not send direct marketing material to someone electronically unless you have an existing business relationship with them in relation to the services being marketed.
Please contact Data Controller for advice on direct marketing before engaging in any such activity.
Contacts and their responsibilities
We take compliance with this policy very seriously. Failure to comply puts both you and London Vesta College Ltd at risk.
The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.
If you have any questions or concerns about anything in this policy, do not hesitate to contact the people below.