1. Purpose
To provide a procedure and set of principles regarding the processing and protection of personal data contained within manual records and upon computer databases. It is also aimed at ensuring compliance with the Data Protection Act 1998 and General Data Protection Regulations (GDPR) 2018.
2. Scope
All established and temporary employees who work under a contract of employment and all agency staff, contractors and consultants who work under a contract for service who have, or who may potentially have access to personal data contained on computer databases or in manual records.
This document is focused on the control of data held on employees. From time to time BEAT may hold data on trustees, customers, students, and parents / guardians of students some of which may be of a sensitive and / or confidential nature. It is BEAT's intention that the same principles as laid out in this document for employee data will be applied to trustees’, customers’, students’ and parents’ / guardians’ data.
3. Policy Statement
BEAT not only intends to comply with its obligations under the Data Protection Act 1998 and the General Data Protection Regulations 2018, but also wishes to assure employees, customers and all other persons about whom it retains personal data, that this will be processed in compliance with both the Act and the GDPR and will be stored in a secure, confidential and appropriate manner. The data will only be stored whilst relevant and will not be disclosed to any person without the employee’s personal written authority or unless required by law.
An annual audit of data stored will take place and all data will only be stored if the reason for doing so is one of the accepted reasons as defined by the GDPR. The reason for storing the data will be logged in the audit with an explanation for doing so.
"Sensitive" and other "Personal Data" relating to an individual will only be processed by BEAT as far as this may be required in connection with the employment of that individual by BEAT and, if by the data processor in accordance with any requirements or instructions imposed by the data controller.
The persons responsible for the application of this policy are the CEO and Senior Management Team of BEAT.
4. Definitions
The majority of data held by BEAT concerns employees. For the purposes of this document the term employee includes:
- Full time employees
- Part time employees
- Consultants
- Contractors
- Agency Staff
The following terms are used throughout this policy and its application. These definitions comply with those used within the Data Protection Act. Each term is therefore defined as follows:
"Data" is information which:
- Is processed by equipment operating automatically in response to instructions given for that purpose
- Is recorded with the intention that it should be so processed
- Is recorded as part of a relevant filing system
"Relevant filing system" refers to any set of information relating to individuals to the extent the set is structured, either by reference to individuals or by reference to a criteria relating to individuals, in such a way that specific information relating to a particular individual is ready and accessible. Rules cover both computerised records and manual records.
"Personal data" is data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in possession of the data controller), including any expression of opinion about the individual and any indications of the intention of the data controller or any other person in respect to that individual.
"Sensitive personal data" means personal data consisting of information as to racial or ethnic origins, political beliefs, physical or mental health, sexual life, offences or alleged offences and past sentences and whether (s)he is a member of a trade union.
"Data controller" is a person who determines the purposes for which and the manner in which personal data is to be processed.
"Data subject" is an individual who is a subject of personal data.
"Processing" is obtaining, recording, holding or carrying out any operation on data, such as the organisation, adaptation, alteration, retrieval, disclosure, dissemination, rearranging or destruction of the information or the data.
"Data processor" is any person who processes data on behalf of the data controller.
5. Exemptions
The following sets of information are exempt from the Data Protection Act and are therefore excluded from the detailed provisions of this policy, but in certain instances the spirit of the policy will be maintained so far as is reasonably practicable.
5.1. Primary Exemptions
Primary exemptions include
- Information which BEAT is required by law to make public
- Information which BEAT is required to make in connection with legal proceedings
- Information relating to national security
- Personal data processed for the prevention of crime or prosecution of offenders or for the collection of tax
- Information relating to any regulatory activity
- Information relating to special purposes such as journalism, artistic or literary use
5.2. Miscellaneous Exemptions
Confidential references given by the data controller are exempt from subject access by the data subject. This includes confidential references given by the data controller for the following purposes:
- Education
- Training
- Employment
- Appointment to office
- Provision of any service
The exemption is not available for references where they are received by the data controller, although the recipient is entitled to take steps to protect the identity of third parties such as the author of the reference.
- Management forecasts / management planning - this exemption is available to business to protect confidentiality of personal data processed for the purposes of management forecasting or management planning.
- Negotiations - where personal data consists of records of the intentions of the data controller in relation to any negotiations with the data subject, such as personal data is exempt from the subject information provisions to the extent that such information would prejudice negotiations
With the exception of the above no personal data whether held on computer or hard copy will be released to any individual or company. If a school needs to contact a teacher for the course of their work personal contact details will be given unless the teacher has explicitly asked BEAT not to, Personal contact details (outside of BEAT e-mail addresses) will not be passed on to parents
6. Personal Data
6.1 Principles
BEAT is committed to upholding the following principles:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained only for specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
BEAT will therefore only utilise data within its documents under the terms of the Data Protection Act. Disclosure of information will only be permitted for those purposes referred to in clause 5 above or where the individual has given consent. Where data has been collected for employment purposes it will only normally be used for such purposes. No important decisions will be made with regard to any individual using, or referring to, data which was collected for any other purpose.
6.2 Relevancy
The amount of personal data held will be adequate, relevant and not excessive in relation to the purposes for which it is held. BEAT will review all personal data on an annual basis in order to ensure there are sound business or administrative reasons requiring the maintenance of that data.
6.3 Accurate
Personal data shall be accurate and where necessary kept up to date. Data is inaccurate if it is incorrect or misleading to any matter of fact. BEAT will take all reasonable steps to ensure the accuracy of such information. It is also necessary for individuals on whom we hold data to inform us of any change in circumstances (e.g. address).
6.4 Retention
Personal data will only be held for as long as necessary to enable those specified and lawful purposes to be achieved It is necessary to retain employee information for seven years after an employee has left BEAT. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment and information required for job references. The data retained will be reviewed from time to time.
6.5 Access to information
Any individual about whom personal data is retained or is being processed can be informed of the following information:
- The purpose for which this is being done
- To whom such data may be disclosed
- The source of such data and who will have access to such data, in an intelligible form on request
- How to have such data corrected
Where the processing of data by automated means is likely to constitute the sole basis for any decision affecting the data subject, the data controller / data processor will inform the data subject of the logic involved in the decision making process.
In order to request such information any employee or individual needs to submit their request to the CEO in writing. Requests made in term time will receive a reply within 14 days. If the request is made in the school holiday it is possible that an answer will not be given until 14 days after the beginning of the next term.
When considering whether to comply with such a request from a data subject, the data controller will be entitled to have regard to the nature of the data, the purpose for which the data is processed and the frequency with which the data is altered.
6.6 Security of data
Personal data will be secured against unauthorised or unlawful processing, accidental loss, destruction or damage.
BEAT will take due care with regard to the storage of data and the protection of data provided by software and hardware security measures. Every effort will be taken to ensure the reliability and confidentiality of authorised staff who are given access to the data. Data should not be removed from its normal place of storage without good reason.
6.7 Geographical restrictions
Personal data will only be transferred to a country other than the UK with the express permission of the data subject.
7. Responsibility to inform
It is the responsibility of the CEO to inform the Information Commissioners Office of any breach that may occur.
All those persons referred to in this policy are required to adhere to its terms and conditions. They must also understand that this policy is incorporated into their contract of employment.
Individual managers are responsible for ensuring that this policy is applied within their own area. Any queries on the interpretation or application of this policy should be discussed with the CEO prior to any action being taken
8. External References
The Data Protection Act 2018. This the UK’s implementation of the General Data Protection Regulation (GDPR): https://www.gov.uk/data-protection
The Information Commissioner's Office (ICO). The UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individual. https://ico.org.uk/
Issue Date: November 2023
Review Date: October 2025