The purpose of this policy is to ensure fair and lawful processing of student and staff personal data, including sensitive personal data, in compliance with the institution’s Data Protection obligations under current law. This policy applies to all applicants, students and staff and allows the institution to function effectively, monitor performance and achievements, organise programmes and comply with legal obligations to funding bodies, government regulations and company legislation such as health and safety and equal opportunities.
2.1 Nature of Information collected
Central Film School London (“CFSL”, “We”, “US”) complies with the General Data Protection Regulation (GDPR). In summary this states that personal data, including sensitive personal data shall be:
· processed fairly and lawfully and shall not be processed unless certain conditions are met
· obtained for specified and lawful purposes and not further processed in a manner incompatible with that purpose
· adequate, relevant and not excessive
· accurate and where necessary up to date
· kept for no longer than necessary
· processed in accordance with data subjects’ rights
· protected by appropriate security
· not transferred without adequate protection
3. Notification of Data Held and Processed
Where do we get your personal data?
We obtain personal data about you from the following sources:
· from you when you provide your contact details for open day activities, filled in one of our form on our webpage or register as a student with us.
. the school will use this data to provide with information on the programme or any similar programme you are interested in. We will also use this data to contact you regarding possible Open Days where you can learn more about the School and the programme we offer.
· from third party sources (e.g. UCAS, Centurusone – our application portal). When we obtain personal data about you from third party sources, we will look to ensure that the third party has lawful authority to provide us with your personal data.
. The data you submitted to the School will form the basis of your student record. The School therefore needs to use your data as the first steps towards potentially entering in to a student contract with you, and, if you are admitted as a student, to perform its obligation under the student contract.
3.1 All staff, students, and other users are entitled to know:
· what personal information CFSL holds and processes about them and why
· how to gain access to it
· how to keep it up to date
· what CFSL is doing to comply with its obligations
3.2 The data types of student information held about past, present and future students may include:
· personal information (the personal data the School collects from you at registration includes your name, contact details, emergency contact details, date of birth, nationality, academic qualifications, details of disability, details of criminal convictions and Fee information and sponsorship details)
· sensitive personal data (racial or ethnic origin, health, sexual orientation)
· assessment information
· financial information (for visa application purposes)
and is processed to comply with the requirements of official bodies e.g. School of Gloucestershire, OFS, SLC, UKVI as part of the educational process.
We take appropriate precautions to protect Personal data from loss, misuse, unauthorized access or disclosure, alteration or destruction. All personal data are stored in secure databases.
3.3 The types of staff information held include:
• personal information
• sensitive personal data
• work performance information
• financial information
and is processed for the proper administration of the employment relationship both during and after employment.
4. NOTE ON PROCEDURE
Institution staff and students or others who process or use any personal information must ensure that they follow these principles at all times. Any breach of the Data Protection policy or the 1998 Act, be they a member of staff or student, whether deliberate or through negligence, may result in disciplinary procedures being instigated against them and possibly a criminal prosecution.
4.1 Staff Guidelines
4.1.1 Compliance with the General Data Protection Regulation (GDPR) is the responsibility of all members of CFSL.
4.1.2 All staff are responsible for:
· Checking that any information that they provide in connection with their employment is accurate and up-to-date.
· Informing their line manager of any changes to information, which they have provided. e.g. changes of address.
· Informing their line manager of any errors or changes.
· Staff whose work involves the management of student data must ensure they observe the principles of the General Data Protection Regulation Act and comply with supplementary guidance issued from time to time.
· Staff whose work includes responsibility for supervision of students’ academic work have a duty to ensure that students observe the principles of the General Data Protection Regulation or supplementary guidance issued from time to time.
4.1.8 All staff are responsible for ensuring that:
· Any personal data, which they hold, whether in electronic or paper format, is kept securely.
· Personal information is not disclosed deliberately or accidentally either orally or in writing to any unauthorized third party, except where it is required for the normal delivery of programmes.
· CFSL will not disclose any student’s personal information including fees, academic achievement or any other related information with any third party including parents or guardians unless specific permission in writing has been granted by the student.
4.1.9 Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases. It may also be a criminal matter in which the individual concerned could be held individually criminally liable as well as the School.
5. Student Guidelines
5.1 Compliance with the General Data Protection Regulation is the responsibility of all members of CFSL.
5.2 All students are responsible for:
· Checking that any information that they provide in connection with their studies is accurate and up-to-date.
· Informing Programme Administration of any changes to information, which they have provided e.g. changes of address.
· Informing Administration of any errors or changes.
5.3 Student undertaking research projects using personal data must ensure that:
· The research subject is informed of the nature of the research and consents to their personal information being used.
· Their tutor is informed of the proposed research before it begins, and ensures that CFSL is authorised to undertake this kind of research.
· All information is kept securely.
· They observe the principles General Data Protection Regulation and comply with supplementary guidance issued from time to time.
6. PROCESSING OF PERSONAL INFORMATION
6.1 The institution processes data relating to its students for a variety of purposes. These include but are not limited to:
· Maintenance of the student record (including personal and academic details) and management of academic processes (for example, academic audits, examination boards and awarding of degrees)
· Alumni operations, including marketing
· The provision of advice and support to students via the Administration department, academic staff and disability support
· Internal research, including monitoring quality and performance
6.2 The institution allows access to employees and agents of CFSL on a need-to-know basis only. Student information is disclosed to a variety of third parties or their agents, notably:
· Students’ sponsors (The Awarding Body, UK Visa & Immigration Department, the Student Loans Company and funding councils).
· Relevant government departments to whom we have a statutory obligation to release information (including OFS, the National Student Survey, UKVI and Council Tax officers).
· Current or potential employers of our students
· The agency compiling the National Student Survey
· Transport for London as part of the 18+ Student Oyster card scheme, where applicable
· Disclosures to organisations not listed above will be made in specific legitimate circumstances. Consent from the student will be sought where necessary and students will be informed of such disclosures unless exceptional circumstances apply.
7. Publication of Information relating to staff and students of CFSL
7.1 It is the policy of CFSL to make public as much information about the institution as possible. This includes, but is not limited to:
· The organisational structure showing roles and names
· Members of the Board of Governors
· Members of committees of the Board of Directors and Academic Board
· List of key staff
· List of students to whom awards have been made or are likely to be made by the institution
7.2 Any individual having good reason for wishing details in these lists or categories to remain confidential should contact Administration department in writing.
7.3 Information that is already in the public domain is exempt from General Data Protection Regulation.
7.4 Care must be taken when capturing close-up images (including photos, videos, film) of staff or students, whether or not these individuals are named. Of key importance is the expectation of privacy on the part of those whose image it is proposed to capture. Consent to image capture is not required in the public spaces of the institution (including lounges, corridors or library) but is required where the expectation of privacy is greater (including classrooms, studios, and meeting rooms).
8. RIGHT TO ACCESS INFORMATION
Staff, students and other users of CFSL are entitled to ask the School to provide you with details of whether any personal data about you is being processed and if so, to be given a description of the personal data why and how it is being used and whether it will be given to any other organisations or people. You can ask for a copy of the information comprising the data and details of the source of the data (where it is available). This is known as the right of Subject Access. You can request those information by writing to our Administration department.
You also have other rights under the General Data Protection Regulation, namely the right to object to processing that is causing you damage or distress, to prevent processing for direct marketing, to object to decisions being taken by automated means, in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed and a right to claim compensation for damages caused by a breach. If you wish to exercise these rights, please contact the School on firstname.lastname@example.org
9. How long will the School keep your personal data?
The School will keep your full student record for six years after the end of the academic year in which you graduate from, or otherwise leave, the School. After six years, the School will retain only the data necessary to identify you and to confirm the dates you studied at the School, the degree and classification you were awarded and a transcript of your marks. All other personal data on your student record will be disposed of in a secure manner. Data on prospective students will be held for a period of 2 years.
The School, and several individual departments / schools within the School, operate alumni societies but personal data collected for this purpose is held separately from your student record.
11. Your rights as a data subject
You have the right to:
· withdraw consent where that is the legal basis of our processing;
· access your personal data that we process;
· rectify inaccuracies in personal data that we hold about you;
· be forgotten, that is your details to be removed from systems that we use to process your personal data;
· restrict the processing in certain ways;
· obtain a copy of your data in a commonly used electronic form; and
· object certain processing of your personal data by us.