Brute Force Protection by Security by CleanTalk.
All attempts are logged.
← Go to Suffolk & Norfolk SCITT
PRIVACY NOTICE
FOR TRAINEES, ECTs, EMPLOYEES, CONSULTANTS, MENTORS, CONTRACTORS, PARTNER SCHOOL AND PARTNER ORGANISTATIONS
ABOUT THIS DOCUMENT
Suffolk and Norfolk SCITT is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the General Data Protection Regulation (GDPR). It applies to all trainees, employees, consultants, mentors, contractors, partner schools and partner organisations, but does not form part of any contract of employment or other contract to provide services.
Suffolk and Norfolk SCITT is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information. We may amend this notice at any time.
Suffolk and Norfolk SCITT has appointed a Data Protection Officer from School’s Choice Data Protection Service as its data protection officer. Her role is to inform and advise the organisation on its data protection obligations. She can be contacted at data.protection@schoolschoice.org and questions about this policy, or requests for further information, should be directed to her.
Data protection principles
We will comply with data protection law. This says that the personal information we hold about you must be:
The kind of information we hold about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are “special categories” of more sensitive personal data which require a higher level of protection. These are data about ethnic origin, political opinions, religious or similar beliefs, trade union membership, health, sex life, criminal proceedings or convictions, genetic or biometric data.
We will collect, store, and use some or all of the following categories of personal information about you:
We may also collect, store and use the following “special categories” of more sensitive personal information:
How is your personal information collected?
We collect personal information about trainees, employees, consultants, mentors, contractors, partner schools and partner organisations either directly from candidates and referees or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers or other background check agencies
We will collect additional personal information in the course of job-related or training-related activities throughout the period of you working for us or training with us.
How we will use information about you
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
We may also use your personal information in the following situations, which are likely to be rare:
If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you, training you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Consent
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.
Data sharing
We may share your data with third parties, including third-party service providers, where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. We require third parties to respect the security of your data and to treat it in accordance with the law. In the case of trainees, we will share performance and other data with the University of Suffolk, placement school staff, schools requesting employment references, mentors and personal tutors.
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
Transferring information outside the EU – (applicants and trainees only)
We will transfer the personal information we collect about you to certain countries outside the EU, in order to perform our contract with you as we use Google Drive as our Virtual Learning Environment. Occasionally, we may also transfer files using DropBox or WeTransfer when we are unable to use email. We will ensure that your personal information receives an adequate level of protection and is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection.
Security
We have appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a training or business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Data retention
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Data on unsuccessful applicants to our courses (paper and electronic) will be kept for 1 academic year and then destroyed.
Data on trainees (paper and electronic) will be kept for 7 years after training is completed and will then be destroyed.
We will keep a record of the personal email addresses of ECTs so that we can stay in contact to offer support after the course is complete.
Rights of access, correction, erasure, and restriction
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Under certain circumstances, by law you have the right to:
Contact
For further information about your rights, or if you have any questions about this privacy notice or how we handle your personal information, please contact Anna Richards, Executive Leader Suffolk and Norfolk SCITT (anna.richards@suffolk.gov.uk) You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
You will be asked to complete an acknowledgment form to confirm that you have read and understood both the Suffolk and Norfolk SCITT Privacy Notice and Data Protection Policy.
By signing this acknowledgement, you are agreeing to your data being processed as outlined in the Privacy Notice and agreeing to follow the Data Protection Policy at all times.
Written and agreed: May 2018
Updated: August 2018
Reviewed: May 2022
Next Review: June 2023
Suffolk and Norfolk SCITT Data Protection Policy
Introduction
Suffolk and Norfolk SCITT is committed to being transparent about how it collects and uses the personal data of its trainees, employees, consultants, mentors, contractors, partner schools and partner organisations and to meeting its data protection obligations.
This policy sets out Suffolk and Norfolk SCITT’s commitment to data protection, and individual rights and obligations in relation to personal data.
Suffolk and Norfolk SCITT has appointed a Data Protection Officer from the Suffolk School’s Choice Data Protection Service as its data protection officer. Her role is to inform and advise the organisation on its data protection obligations. She can be contacted at data.protection@schoolschoice.org and questions about this policy, or requests for further information, should be directed to her.
Definitions
Data Protection Principles
Suffolk and Norfolk SCITT processes personal data in accordance with the following data protection principles:
Where Suffolk and Norfolk SCITT processes special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with the General Data Protection Regulation (GDPR).
Suffolk and Norfolk SCITT will update personal data promptly if an individual advises that their information has changed or is inaccurate. Data gathered is held in:
The periods for which Suffolk and Norfolk SCITT holds personal data are contained in its privacy notices/retention schedule. The organisation keeps a record of its processing activities in respect of personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).
Data Retention
Suffolk and Norfolk SCITT maintains a retention schedule which is based on guidance from the information and records management society: http://www.irms.org.uk/resources/information-guides/199-rm-toolkit-for-school
We will only retain personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Data on unsuccessful applicants to our courses (paper and electronic) will be kept for 1 academic year and then destroyed.
Data on trainees (paper and electronic) will be kept for 7 years after training is completed and will then be destroyed.
We will keep a record of the personal email addresses of ECTs so that we can stay in contact to offer support after the course is complete.
Individual Rights
As a data subject, individuals have a number of rights in relation to their personal data.
Subject Access Requests
Individuals have the right to make a subject access request. If an individual makes a subject access request, Suffolk and Norfolk SCITT will tell them:
Suffolk and Norfolk SCITT will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless they agree otherwise.
To make a subject access request, the individual should complete the relevant form/send the request to anna.richards@suffolk.gov.uk In some cases, the Suffolk and Norfolk SCITT may need to ask for proof of identification before the request can be processed.
Suffolk and Norfolk SCITT will normally respond to a request within a period of one month from the date it is received. In some cases, such as where the Suffolk and Norfolk SCITT processes large amounts of the individual’s data, it may respond within three months of the date the request is received. Suffolk and Norfolk SCITT will write to the individual within one month of receiving the original request to tell them if this is the case.
If a subject access request is manifestly unfounded or excessive, Suffolk and Norfolk SCITT is not obliged to comply with it. Alternatively, Suffolk and Norfolk SCITT can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which Suffolk and Norfolk SCITT has already responded. If an individual submits a request that is unfounded or excessive, Suffolk and Norfolk SCITT will notify them that this is the case and whether it will respond to it.
Other Rights
Individuals have a number of other rights in relation to their personal data. They can require Suffolk and Norfolk SCITT to:
To ask Suffolk and Norfolk SCITT to take any of these steps, the individual should send the request to anna.richards@suffolk.gov.uk.
Freedom of Information
Suffolk and Norfolk SCITT is subject to The Freedom of Information Act 2000 (FOI) and Environmental Information Regulations 2004 (EIR) and all requests for information that is not personal information must be treated as a FOI or EIR. These requests must be fully responded within 20 working days by law. The information will be provided unless Suffolk and Norfolk SCITT can provide an exemption or exception under the FOI act or EIR respectively.
Data Security
Suffolk and Norfolk SCITT takes the security of personal data seriously. It has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties. Suffolk and Norfolk SCITT is working towards a clear desk policy.
Where Suffolk and Norfolk SCITT engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
An Information Risk Register will be created and maintained by Suffolk and Norfolk SCITT which summarises each information asset the organisation maintains. Appropriate measures will be taken to mitigate the risk of disclosure of each information asset based on the impact level assigned.
Data Breaches
If Suffolk and Norfolk SCITT discovers that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. Suffolk and Norfolk SCITT will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.
Individual Responsibilities
Individuals are responsible for helping Suffolk and Norfolk SCITT keep their personal data up to date. Individuals should let Suffolk and Norfolk SCITT know if data provided to the organisation changes, for example if an individual moves house.
Individuals may have access to the personal data of other individuals in the course of their employment. Where this is the case, Suffolk and Norfolk SCITT relies on individuals to help meet its data protection obligations.
Individuals who have access to personal data are required:
Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the organisation’s disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.
Training
Suffolk and Norfolk SCITT will provide training to all individuals (including trainees and consultants) about their data protection responsibilities as part of the induction process and at regular intervals thereafter.
Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.
Suffolk and Norfolk SCITT Staff
Trainees
ECTs
Suffolk and Norfolk SCITT Consultants
Roles and Responsibilities
The senior information risk owner (SIRO) for the Suffolk and Norfolk SCITT is Anna Richards
They are responsible for:
All staff are responsible for ensuring that information is managed according to this policy.
Policy Review
Anna Richards, Executive Leader, and the Suffolk School’s Choice Data Protection Officer, are responsible for monitoring the arrangements set out in this document.
The policy will be reviewed every 2 years.
Written and agreed: May 2018
Updated: August 2018
Reviewed: May 2022
Next Review: May 2023