Data Protection Policy

Introduction and Scope

This policy is to ensure that Tutorfox complies with the requirements of the UK General Data Protection Regulation and the Data Protection Act 2018 in addition to associated guidance and Codes of Practice issued under the legislation.

This policy including its appendices applies to our entire workforce. This includes employees, contractors, agents and representatives, volunteers and temporary staff working for, or on behalf of, Tutorfox. Individuals who are found to infringe this policy knowingly or recklessly may face disciplinary action.

This policy is the organisation’s main information governance policy, covering all aspects of data protection, information security and records management, and applies to all personal data, regardless of whether it is in paper or electronic format.

Roles and Responsibilities

Personal data will be processed in accordance with the requirements of UK GDPR and in compliance with the data protection principles specified in the legislation. Overall responsibility for ensuring that the organisation meets the statutory requirements of any data protection legislation lies with the Director.

Data Protection Officer (DPO)

The role of the DPO is to assist the organisation in monitoring compliance with the UK GDPR and the Data Protection Act 2018 and advise on data protection issues. Tutorfox has appointed Veritau as our DPO. Their contact details are:

circular veritau logo with a white upside triangle and dark blue veritau font on a green background

Veritau Ltd.
West Offices
Station Rise
York
North Yorkshire
YO1 6GA
schoolsDPO@veritau.co.uk // 01904 554025

The DPO is a statutory position and will operate in an advisory capacity. Duties will include:

• Acting as the point of contact for the Information Commissioner’s Office (ICO) and data subjects;
• Facilitating a periodic review of the corporate ROPA and information governance policies;
• Assisting with the reporting and investigation of information security incidents;
• Providing advice on all aspects of data protection as required, including information requests, information sharing and Data Protection Impact Assessments.

Senior Information Risk Owner (SIRO)

The SIRO is a senior member of staff who has ultimate responsibility for operational risk, ensuring that the organisation’s policies and procedures are effective and comply with legislation, and promoting good practice. In our organisation this role lies with the Director.

Single Point of Contact (SPOC)

The SPOC is someone at operational level who can take responsibility for data protection, including communicating with data subjects and the DPO. In our organisation this role lies with the Director.

All staff

All staff, including contractors, agents and representatives, volunteers and temporary staff working for, or on behalf of, the organisation are responsible for collecting, storing and processing any personal data in accordance with this policy.

Data Protection Principles

We will comply with the data protection principles, as defined in Article 5 of the UK GDPR. We will ensure that personal information is:

• Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency).
• Collected only for specified, explicit and legitimate purposes (Purpose Limitation).
• Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data Minimisation).
• Accurate and where necessary kept up to date (Accuracy).
• Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed (Storage Limitation).
• Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).

We recognise that not only must we comply with the above principles, we must also demonstrate our compliance (Accountability).

Lawful Bases

UK GDPR sets out several conditions under which we can process personal information lawfully. We usually rely on the lawful basis of contract, however at times we may rely on our legitimate interests. We will only do this where we are using data in ways individuals would reasonably expect and will conduct an appropriate legitimate interest assessment (LIA) where necessary.

We have an Appropriate Policy Document (APD) in place (see Appendix One) which provides information about our processing of special category (SC) and criminal offence (CO) data. The APD demonstrates how we comply with the requirements of the UK GDPR and DPA.

Data Subject Rights

Under the UK GDPR, individuals have several rights in relation to the processing of their personal data:

Right to be informed

We provide individuals with privacy information at the time we collect their data, normally by means of a privacy notice, which is made easily accessible to the data subject. Privacy notices will be clear and transparent, regularly reviewed, and include all information required by data protection legislation.

Right of access

Individuals have the right to access and receive a copy of the information we hold about them. This is commonly known as a Subject Access Request (SAR). We have in place a SAR procedure which details how we deal with these requests (Appendix Two).

Other rights include the right to rectification, right to erasure, right to restrict processing, right to object, right to data portability and rights related to automated decision-making, including profiling.

Requests exercising these rights can be made to any member of staff, but we encourage requests to be made in writing, wherever possible, and forwarded to the SPOC who will acknowledge the request and respond within one calendar month. Advice regarding such requests will be sought from our DPO where necessary.

A record of decisions made in respect of the request will be retained; recording details of the request, whether any information has been changed, and the reasoning for the decision made.

Records of Processing

In accordance with Article 30 of UK GDPR, we must keep a record of our processing activities. We will do this by developing and maintaining a Record of Processing Activities (ROPA).

When processing personal data in our capacity as a Data Controller, our ROPA will include the following details (as a minimum):

• The name and contact details of the Controller and, where applicable, the joint Controller, the Controller's representative and the DPO,
• The purposes of the processing,
• A description of the categories of data subjects and of the categories of personal data;
• The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
• Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, where required, the documentation of suitable safeguards,
• The envisaged retention period(s) for the different categories of data,
• A general description of the technical and organisational security measures.

We will include links to relevant documentation, such as data processing contracts, information sharing agreements, and risk assessments, wherever possible.

We will review the ROPA at least annually to ensure it remains accurate and up to date, consulting with the DPO as necessary.

Privacy by Design and Risk Assessments

We will adopt a privacy by design approach and implement appropriate technical and organisational security measures to demonstrate how we integrate data protection into our processing activities.

We will conduct a Data Protection Impact Assessment (DPIA) when undertaking new, high-risk processing, or making significant changes to existing data processing. The purpose of the DPIA is to consider and document the risks associated with a project prior to its implementation, ensuring data protection is embedded by design and default.

All of the data protection principles will be assessed to identify specific risks. These risks will be evaluated and solutions to mitigate or eliminate these risks will be considered. Where a less privacy-intrusive alternative is available, or the project can go ahead without the use of special category data, we will opt to do this.

All DPIAs are signed by our Senior Information Risk Owner and Data Protection Officer.

Information Sharing

In order for Tutorfox to effectively fulfil our duties it is sometimes necessary for us to share information with third parties. Routine and regular information sharing arrangements will be documented in our privacy notices and in our ROPA.

Any further or ad-hoc sharing of information will only be done so in compliance with legislative requirements, including the ICO’s data sharing code of practice. We will only share personal information where we have a lawful basis to do so, ensuring any disclosure is necessary and proportionate. All disclosures will be approved by the relevant staff member and recorded in a disclosure log.

Contract Management

All third-party contractors who process data on our behalf must be able to provide assurances that they have adequate data protection controls in place. Where personal data is being processed, we will ensure that there is a written contract in place which includes all the mandatory data processing clauses, as required by UK GDPR.

We will maintain a record of our Data Processors, and regularly review the data processing contracts, with support from the DPO, to ensure continued compliance.

International transfers

All information held within the Tutorfox platform itself is stored in Microsoft’s Cardiff Data Centre and will not be transferred outside the UK.

Some of the digital information we hold outside the platform or in other applications may be stored on computer servers located outside the UK. Some of the IT applications used may also transfer data outside the UK.

Normally personal information will not be transferred outside the European Economic Area, which is deemed to have adequate data protection standards by the UK government. In the event that information is transferred outside the EEA, we will ensure data is protected and appropriate safeguards are in place in accordance with the UK GDPR.

We will consult with the DPO for any processing which may take place outside of the EEA prior to any contracts being agreed.

Information Security

The sixth principle of the UK GDPR states that organisations must protect the personal data which it processes against unauthorised loss by implementing appropriate technical and organisational measures.

To ensure we meet our legal obligations, personal data should be protected by the security model known as the ‘CIA’ triad; three key elements of information security:

• Confidentiality – only authorised people should have access to information.
• Integrity – information should be accurate and trustworthy.
• Availability – authorised people should have access to the information and systems they need to carry out their job.

Access Control

We will maintain control over access to the personal data that we process.
These controls will differ depending on the format of the data and the status of the individual accessing the data. We will maintain a log detailing which individuals have access to which systems (both electronic and manual). This log will be maintained by the Director.

Manual filing systems

Access to manual filing systems (i.e., non-electronic systems) will be controlled by a key management system. All files that contain personal data will be locked away in lockable storage units, such as a filing cabinet or a document safe, when not in use.

Keys to storage units will be stored securely. The Director will be responsible for giving individuals access to the safe place. Access will only be given to individuals who require it to conduct legitimate business functions. Where a PIN is used, the password will be changed every three months or whenever a member of staff leaves the organisation, whichever is sooner.

Electronic systems

Access to electronic systems will be controlled through a system of user authentication. Individuals will be given access to electronic filing systems if required to conduct legitimate functions.

Individuals will be required to regularly change their password and usernames will be suspended either when an individual is on long-term absence or when an individual leaves our employment.

Individuals should ensure they use different passwords for different systems to ensure if one system is compromised, that does not lead to other systems being accessed. Individuals are required to change their password at appropriate intervals.

Software and systems audit logs

We will ensure that all major software and systems have inbuilt audit logs, wherever possible, so that we can ensure it can monitor what users have accessed and what changes may have been made. Although this is not a preventative measure, it does ensure that the integrity of the data can be assured and also deters individuals from accessing records without authorisation.

External access

On occasions we will need to allow individuals who are not part of our workforce to have access to systems. This could be, for example, for audit purposes, to fulfil an inspection, or because of a partnership arrangement with another organisation. The Director is required to authorise all instances of third parties having access to systems.

We will maintain an access log, detailing who has been given access to what systems and who authorised the access.

Physical Security

We will maintain high standards of physical security to prevent unauthorised access to personal data. We will maintain the following controls:

Clear desk policy

Individuals will not leave personal data on desks, or any other working areas, unattended and will use the lockable storage units provided to secure personal data when not in use.

Secure disposal

We will ensure that all personal data is securely disposed in accordance with the retention outlined in our Data Protection Policy. Hard copy information will be securely destroyed by shredder or a confidential waste provider. Electronically held information will be deleted automatically with retention periods built into the system wherever possible. Otherwise, manual review and deletion will take place at least annually.

Redundant computer equipment will be disposed of in accordance with the Waste Electrical and Electronic Equipment (WEEE) Regulations and through secure and auditable means.

Environmental Security

In addition to maintaining high standards of physical security to protect against unauthorised access to personal data, we must also protect data against environmental and natural hazards such as power loss, fire, and floods.

It is accepted that these hazards may be beyond our control, but we will implement the following mitigating controls:

Back-ups

We will regularly back up our electronic data and systems and conduct tests to ensure that they restore correctly. These backups will be held in a different location to the main server or held off-site by an external provider. This arrangement will be governed by a data processing agreement. Should an environmental or natural hazard compromise our electronic systems then we will be able to reinstate the data from the backup with minimal disruption.

Systems and Cyber Security

We will protect against hazards to our IT network and electronic systems. It is recognised that the loss of, or damage to, IT systems could affect our ability to operate and could potentially endanger the safety of our workforce.

We will implement the following security controls in order to mitigate risks to electronic systems:

Firewalls and anti-virus software

We will ensure that the firewalls and anti-virus software is installed on electronic devices and routers. We will update the firewalls and anti-virus software when updates are made available and when advised to do so. We will review our firewalls and anti-virus software on an annual basis and decide if they are still fit for purpose. We will ensure that updates and patches are applied when they are available to ensure any security weaknesses are addressed as soon as they are known.

Phishing emails

In order to avoid our computer systems from being compromised through phishing emails, users are encouraged not to click on links that have been sent to them in emails when the source of that email is unverified. Employees will also take care when clicking on links from trusted sources in case those email accounts have been compromised. Users will check if they are unsure about the validity of an email and must immediately inform the SIRO if they have clicked on a suspicious link. We will ensure staff have received adequate training to be able to recognise such emails.

Communications Security

The transmission of personal data is a key business need and, when operated securely is a benefit to us and users alike. However, data transmission is extremely susceptible to unauthorised and/or malicious loss or corruption. We have implemented the following transmission security controls to mitigate these risks:

Sending personal data by email

We will only send personal data and special category data by email if using a secure email transmission portal.

Individuals will always double check the recipient’s email address to ensure that the email is being sent to the intended individual(s). Use of autocomplete should be strongly discouraged.

When sending emails to a large number of recipients, such as a mail shot, or when it would not be appropriate for recipients to know each other’s email addresses then we will utilise the Blind Copy (BCC) function.

Data Breaches

Article 33 of the UK GDPR requires data controllers to report breaches of personal data to the Information Commissioner’s Officer; and sometimes the affected data subject(s), within 72 hours of discovery if the incident is likely to result in a risk to the rights and freedoms of the data subject(s).

All actual and suspected breaches of security or confidentiality are to be reported in accordance with the Data Breach Procedure set out in Appendix Three of this document.

Business Continuity

We will ensure that we have a Business Continuity Plan in place to ensure we can continue normal business in the event of a security incident.

We have a process in place for testing, assessing and evaluating the effectiveness of the measures we have in place.

Records Management

A programme is in place for managing our records throughout their lifecycle, including using methods such as version control and file plans to ensure that records can be easily searched and accessed in the event of an information request.

Email management

We have a process in place to ensure that emails are also managed in line with this policy and our retention schedule. Emails discussing organisational business or reflecting significant actions or decisions concerning organisational business will not be stored in personal email inboxes but will be removed and stored securely in the appropriate filing system.

Personal email inboxes are regularly reviewed by staff to ensure any unnecessary emails are deleted.

Storage and security

All records, especially where containing personal data, will be stored securely to maintain confidentiality, whilst also keeping information accessible to those authorised to see it. Electronic records will have appropriate security and access controls in place, and systems will have robust audit functions in place wherever possible.

Paper records will be stored in secure, lockable storage areas with restricted access.

When sharing or transferring records containing personal information, we will ensure appropriate transmission security controls are in place.

Retention and disposal

The retention period for particular types of records is determined by legal, regulatory or functional requirements.

We will ensure that any records containing personal or confidential information are disposed of appropriately and securely when they have reached the end of their retention period as per our ROPA.

Records held in databases or electronic management systems with the functionality for automatic destruction of records after a specified period of time will be used wherever possible. A review of the records will be conducted prior to destruction, where practical.

Where automatic disposal is not in place, for example for paper records, we will conduct a manual review, at least annually, to ensure they are deleted in line with retention guidelines.

The disposal of all information is documented to ensure that we maintain a record of when it has been deleted and by whom. This allows us to evidence that a record no longer exists in the event of a subject access request being received.

Training

We will ensure that appropriate guidance and training is given to our workforce and other authorised users on data protection, records management and access to information. Training will be delivered as part of the induction process and as refresher training at appropriate intervals.

Specialised roles or functions with key data protection responsibilities, such as the SIRO and SPOC, will also receive additional training specific to their role.

We will keep a record of all training that has been completed and ensure that data protection awareness is raised in staff briefings and as standard agenda items in meetings, where appropriate.

We will ensure that any third-party contractors have adequately trained their staff in information governance by conducting the appropriate due diligence.

Complaints

We take complaints seriously, and any concerns about the way we have handled personal data or requests for further information in relation to data protection, should be raised with the SPOC. We will then consult with the DPO, where necessary, for advice and guidance.

If an individual remains dissatisfied after we have concluded our investigation, they may complain to the Information Commissioner’s Office. Their contact details are below:

Phone: 0303 123 1113 or via their live chat. Their normal opening hours are Monday to Friday between 9am and 5pm (excluding bank holidays). You can also report, enquire, register and raise complaints with the ICO using their web form on Contact us | ICO

Appendix One – Appropriate Policy Document (APD)

Introduction

Tutorfox processes special category and criminal conviction data in the course of fulfilling its functions. Schedule 1 of the Data Protection Act 2018 requires Data Controllers to have in place an ‘Appropriate Policy Document’ where certain processing conditions apply for the processing of special categories of personal data and criminal convictions data. This policy fulfils this requirement.

This policy complements our existing records of processing as required by Article 30 of UK General Data Protection Regulation, which has been fulfilled by the creation and maintenance of our ROPA. It also reinforces our existing retention and security policies, procedures and other documentation in relation to special category data.

Special categories and conditions of processing

We process the following special categories (SC) of data:

• Health/medical data, including SEN

We rely on the following processing conditions under Article 9 of UK GDPR and Schedule 1 of the Data Protection Act 2018 to lawfully process special category data:

Article 9(2)(g) – reasons of substantial public interest

Our processing of health or medical data, in particular SEN information, is done so for the purposes of substantial public interest. We must process this data in order to connect learners with a suitable tutor and deliver appropriate services.

When processing data under Article 9(2)(g), we also require a Schedule 1 condition under the Data Protection Act 2018. The conditions we rely on for this processing are Schedule 1, Part 2, (8) – equality of opportunity or treatment.

We also process criminal offence (CO) data under Article 10 of UK GDPR, including for pre-registration due diligence and security checks of tutors in line with contractual obligations.

We rely on the following processing conditions under Article 6 of UK GDPR and Schedule 1 of the Data Protection Act 2018 to lawfully process criminal offence data:

Article 6(1)(b) – performance of a contract

We must process criminal offence data in order to ensure that our tutors are suitable to provide services and to safeguard learners.

When processing data under Article 10, we also require a Schedule 1 condition under the Data Protection Act 2018. The conditions we rely on for this processing are Schedule 1, Part 2, (10) – preventing or detecting unlawful acts, and Schedule 1, Part 2, (18) – safeguarding of children and individuals at risk.

Compliance with Data Protection Principles

We have several policies and procedures in place to ensure our compliance with the Article 5 Data Protection Principles and meet our accountability obligations, explained in more detail below:

Accountability principle

We have put in place appropriate technical and organisational security measures to meet the requirements of accountability. These include:

• The appointment of a Data Protection Officer.
• Taking a data protection by design and default approach to our processing activities, including the use of risk assessments.
• Maintaining documentation of our processing activities through a ROPA.
• Adopting and implementing information governance policies and ensuring we have written contracts in place with Data Processors.
• Implementing appropriate security measures in relation to the personal data we process.

Principle (a): lawfulness, fairness and transparency

Processing personal data must be lawful, fair and transparent. We have identified an appropriate Article 6 condition and also, where processing SC or CO data, an Article 9 and Schedule 1 condition.

We consider how any processing may affect individuals concerned and provide clear and transparent information about why we process personal data, including our lawful bases, in our privacy notices and this policy document. All privacy notices provide details of data subject rights. Our privacy information is regularly reviewed and updated to ensure it accurately reflects our processing.

Principle (b): purpose limitation

Personal data is only processed to allow us to conduct the necessary functions and services we are required to provide in line with legislation. We clearly set out our purposes for processing in our privacy notices, policies and procedures, and in our ROPA. If we plan to use personal data for a new purpose, other than a legal obligation or function set out in law, we check that it is compatible with our original purpose, or we obtain specific consent for the new purpose.

Principle (c): data minimisation

We only collect the minimum personal data needed for the relevant purposes, ensuring it is necessary and proportionate. Any personal information that is no longer required, especially where it contains special category data, is anonymised or erased.

Principle (d): accuracy

Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is processed, we will take every reasonable step to ensure that data is erased or rectified without delay. Where we are unable to erase or rectify the data, for example because the lawful basis we rely on to process the data means these rights do not apply, we will document our decision. Where we have shared information with a third party, we will take all reasonable steps to inform them of the inaccuracies and rectification. We maintain a log of all data rights requests and have appropriate processes for handling such requests.

Principle (e): storage limitation

We have listed retention periods in our ROPA. Where there is no legislative or best practice guidance in place, the SIRO will decide how long the information should be retained based on the necessity to keep the information for a legitimate purpose or purposes. We also maintain a Destruction Log, which documents what information has been destroyed, the date it was destroyed and why it has been destroyed.

Principle (f): integrity and confidentiality (security)

We employ various technical and organisational security measures to protect the personal and special category data that we process.

In the event of a personal data breach the incident will be recorded on a log, investigated, and reported to our Data Protection Officer where necessary. High risk incidents are reported to the Information Commissioner’s Office.

Retention of special category and criminal convictions data

The retention periods of special category and criminal convictions data are set out in our ROPA.

Appendix Two – Subject Access Requests (SARs)

Under the UK GDPR, individuals have the right to make a Subject Access Request (SAR) to any member of our workforce, contractor or agent working on behalf of Tutorfox. Requests need not be made in writing, but we encourage applicants to do so where possible. Requests should be forwarded to the SPOC who will log the request and acknowledge it within five working days.

We must be satisfied of the requestor’s identity and may have to ask for additional information to verify this, such as:

• valid photo ID, such as driver’s licence or passport,
• proof of address, such as a utility bill or council tax letter,
• confirmation of email address, or
• further information for Tutorfox to be satisfied of the applicant’s identity.

Only once we are confident of the requestor’s identity and have sufficient information to understand the request will it be considered valid. We will then respond to the request within the statutory timescale of one calendar month.

We can apply a discretionary extension of up to a further two calendar months to comply if the requested information would take a considerable amount of time to respond, due to either the complexity or volume of the records. If we wish to apply an extension, we will firstly seek guidance from our DPO, then inform the applicant of the extension within the first calendar month of receiving the request.

If we think it necessary to apply any exemptions, we will seek guidance from our DPO. In limited circumstances, we may also refuse a request on the basis that it is manifestly unreasonable or excessive.

Internal Review

Complaints in relation to SARs and other data subject rights will be processed as an internal review request.

An internal review will be dealt with by an appropriate member of staff who was not involved in the original request. They will examine the original request and response and decide whether it was dealt with appropriately under the legislation. The reviewing officer will decide whether to uphold or overturn any exemptions. A full response will be provided within one calendar month where possible.

If an individual remains dissatisfied after we have concluded our investigation, they may appeal to the Information Commissioner’s Office. Their contact details are below:

Appendix Three – Data Breach Procedure

Introduction

To enable us to report serious incidents to the ICO within 72 hours it is vital that we have a robust system in place to manage, contain, and report such incidents.

This procedure has been written to govern our management of data breaches.

Roles and responsibilities

Senior Information Risk Owner (SIRO) – Anna Sinclair, Director
Data Protection Officer (DPO) – Veritau

Immediate actions (within 24 hours)

An actual data breach, or an information security event (a ‘near-miss’), must be reported to the Senior Information Risk Owner (SIRO) within 24 hours. The SIRO will then contact the Data Protection Officer (DPO) as soon as possible for advice on risk and the investigation process.

If appropriate, the individual who discovered the breach will make every effort to retrieve the information and/or ensure recipient parties do not possess a copy of the information.

Investigation (within 48 hours)

In consultation with the DPO, the SIRO will assess the data protection risks and determine the severity of the breach. They will conduct an initial investigation proportionate to the level of risk and carry out immediate actions that need to take place to contain the incident. The SIRO will ensure that the investigation and actions taken are documented appropriately.

Reporting to the ICO/Data Subjects (within 72 hours)

The SIRO, in conjunction with the DPO will determine whether the incident meets the threshold to be reported to the ICO, and whether any data subjects need to be informed. The SIRO will be responsible for liaising with data subjects and the DPO for consulting with the ICO.

Concluding incidents

The SIRO, in consultation with the DPO, will ensure all investigations have been conducted thoroughly and all highlighted information security risks addressed.

All incidences should be recorded on our Data Breach Log, along with the outcome of the investigation.