Data Protection Policy
Oxford School of English is committed to making sure that the privacy of our data subjects is protected, in line with current data protection regulations.
This is the general data protection policy for Oxford School of English (OSE) for the educational services and support services we provide.
Aim and scope of policy
This policy explains what information we collect, how we use this information, how our data subjects can tell us if they prefer to limit the use of their information, and the procedures that we have in place to safeguard their privacy.
It also covers our response to any data breach and other rights under GDPR.
We collect personal information from the following data subjects:
- Students and their next-of-kin (emergency contacts)
- Homestay families
- Teaching and support staff
- Agents/representatives, Educational Travel Operators (ETOs), sponsors (such as embassies)
- Self-employed contractors
We collect different types of personal information for these reasons:
- To help students to enrol for our courses and send them the information they need to attend
- To make sure that we are fulfilling our legal obligations
- To help us to monitor and improve the services we offer
- To keep students up-to-date about the courses they have enrolled for, or services they have bought
- To fulfil contracted services
- If we have permission from the user, to market courses and services to them.
We make a commitment to ensure that personal data, including special categories of personal data and criminal offence data (where appropriate) is processed in line with GDPR and domestic laws and all its employees conduct themselves in line with this, and other related policies.
Where third parties process data on behalf of OSE, we will ensure that the third party takes such measures in order to maintain OSE’s commitment to protecting data. In line with GDPR, we understand that the school will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.
Types of data held
Personal data is kept in personnel files or within OSE's HR systems. The following types of data may be held by OSE, as appropriate, on relevant individuals including teaching and support staff, homestay families and students:
- name, address, email, phone numbers (including mobile phone)- for individual and next of kin
- date of birth, gender, nationality and first language
- passport, visa/biometric details where necessary (or alternative ID, such as driving licence)
- CVs and other information gathered during recruitment (degree and teaching qualification)
- references from former employers and character references
- National Insurance number
- bank account details
- job title, job descriptions and pay grades
- course of study (for students)
- conduct issues such as letters of concern, disciplinary proceedings
- holiday records
- internal performance information
- medical or health information
- DBS number
- sickness absence records
- tax codes
- terms and conditions of employment
- training details
We collect information:
- when students enrol for a course
- when homestay providers, agent representatives, ETOs or sponsors work with us
- when we engage teaching or support staff
- through cookies on our website
Data protection principles
All personal data obtained and held by OSE will:
- be processed fairly, lawfully and in a transparent manner
- be collected for specific, explicit, and legitimate purposes
- be adequate, relevant and limited to what is necessary for the purposes of processing
- be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay
- not be kept for longer than is necessary for its given purpose
- be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
- comply with the relevant GDPR procedures for international transferring of personal data.
We collect personal data in the full knowledge that your rights are protected. Therefore you have the right:
- to be informed
- of access
- for any inaccuracies to be corrected (rectification)
- to have information deleted (erasure)
- to restrict the processing of the data
- to portability
- to object to the inclusion of any information
- to regulate any automated decision-making and profiling of personal data.
Oxford School of English has taken these steps to protect the personal data it holds of relevant individuals:
- it provides information to its staff, students and homestay families on their data protection rights, how it uses their personal data, and how it protects it. The information includes the actions relevant individuals can take if they think that their data has been compromised in any way
- it provides its staff, students and homestay families with information to make them aware of the importance of protecting personal data, to teach them how to do this, and to understand how to treat information confidentially
- it can account for all personal data it holds, where it comes from, who it is shared with and also who it might be shared with
- it carries out risk assessments as part of its reviewing activities to identify any vulnerabilities in its personal data handling and processing, and to take measures to reduce the risks of mishandling and potential breaches of data security. The procedure includes an assessment of the impact of both use and potential misuse of personal data in and by OSE
- it recognises the importance of seeking our data subjects' consent for obtaining, recording, using, sharing, storing and retaining their personal data, and regularly reviews its procedures for doing so. OSE understands that consent must be freely given, specific, informed and unambiguous. OSE will seek consent on a specific and individual basis where appropriate. Full information will be given regarding the activities about which consent is sought.
- it will always make it as easy as possible for our data subjects to choose not to allow us to use their data, providing it does not prevent us from
- giving them the service requested or undertaking the agreed contract.
- it has the appropriate mechanisms for detecting, reporting and investigating suspected or actual personal data breaches, including security breaches. It is aware of its duty to report significant breaches that cause significant harm to the affected individuals to the Information Commissioner, and is aware of the possible consequences
- it is aware of the implications of international transfer of personal data.
Access to data
Data subjects can check, correct, instruct OSE to limit or erase any personal information we might hold about you. You can also ask us to provide all the information we hold on you.
To do this, you should send your request to the Director of Studies
We promise to action your request within 30 days.If you are not satisfied with the way your request was handled, you have the right to make a complaint with the Information Commissioner's Office
OSE may be required to disclose certain data/information to any person for these reasons:
- any employee benefits operated by third parties
- disabled individuals - whether any reasonable adjustments are required to assist them at work
- individuals' health data - to comply with health and safety or occupational health obligations towards the employee
- for Statutory Sick Pay purposes
- HR management and administration - to consider how an individual’s health affects his or her ability to do their job
- the smooth operation of any employee insurance policies or pension plans.
- homestay details to agents acting in the interests of their students
These kinds of disclosures will only be made when strictly necessary for the purpose.
OSE adopts procedures designed to maintain the security of data when it is stored and transported in accordance with GDPR.
OSE ensures that:
- all files or written information of a confidential nature are stored in a secure manner and are only accessed by people who have a need and a right to access them
- all files or written information of a confidential nature are not left where they can be read by unauthorised people
- regularly checks are made on the accuracy of data being entered into computers
- it always use the passwords provided to access the computer system and not abuse them by passing them on to people who should not have them
- it uses computer screen blanking to ensure that personal data is not left on screen when not in use.
International data transfers
OSE may be required to transfer personal data to a country/countries outside of the EEA. This is because agents/representatives, Educational Travel Operators (ETOs), sponsors (such as embassies) require such information so that the services which form part of our contract can be delivered. We manage this process under Legitimate Interest.
Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner within 72 hours of OSE becoming aware of it and may be reported in more than one instalment.
Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual.
If the breach is sufficient to warrant notification to the public, OSE will do so without undue delay.
This policy is reviewed on an annual basis. However, if any issues relating to the policy should arise, the policy will be reviewed immediately.
Date of next scheduled review: June 2023