IWS Online School Privacy and GDPR Policy

Approved by: SLT

Date: 01.08.2024

Next review due by: 01.08.2025

1. Aims

IWS Online School aims to ensure that all personal data collected about staff, pupils, parents, governors, visitors, and other individuals is collected, stored, and processed in accordance with UK data protection law. This policy applies to all personal data, regardless of whether it is in paper or electronic format.

2. Legislation and Guidance

This policy meets the requirements of:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018 (DPA 2018)
• Protection of Freedoms Act 2012 (biometric data use)
• Education (Pupil Information) (England) Regulations 2005

3. Definitions

• Personal Data: Information relating to an identified or identifiable individual.
• Special Categories of Personal Data: Sensitive data needing extra protection, such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetics, health, sex life, or sexual orientation.
• Processing: Any operation performed on personal data, automated or manual.
• Data Subject: The individual whose personal data is held or processed.
• Data Controller: An organisation that determines the purposes and means of processing personal data.
• Data Processor: A person or body that processes personal data on behalf of the data controller.
• Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

4. The Data Controller

IWS Online School processes personal data relating to parents, pupils, staff, governors, visitors, and others, and is a data controller. The school is registered with the ICO and has paid its data protection fee.

5. Roles and Responsibilities

This policy applies to all staff and external parties working on our behalf. Non-compliance may lead to disciplinary action.

5.1 Governing Board The governing board ensures compliance with data protection obligations

5.2 Data Protection Officer (DPO) The DPO oversees the implementation of this policy, monitors compliance, and reports to the governing board. Contact: Nida Khan, dpo@iwschool.co.uk.

5.3 Headteacher The headteacher represents the data controller on a day-to-day basis.

5.4 All Staff Staff are responsible for:

• Collecting, storing, and processing personal data according to this policy.
• Informing the school of any changes to their personal data.
• Contacting the DPO for guidance on data protection matters.

6. Data Protection Principles

Personal data must be:

• Processed lawfully, fairly, and transparently.
• Collected for specified, explicit, and legitimate purposes.
• Adequate, relevant, and limited to what is necessary.
• Accurate and kept up-to-date.
• Kept no longer than necessary.
• Processed securely.

7. Collecting Personal Data

7.1 Types of Information Collected IWS Online School collects personal information from pupils and their parents during the admissions process and throughout the provision of educational services. This may also include data from previous schools, social services, local authorities, and the Department for Education (DfE).

7.2 Categories of Personal Data Collected We collect the following types of personal information:

• Contact details (name, email address, postal address, telephone number)
• Date of birth
• Characteristics (ethnic background, additional educational needs)
• Identification proof
• Financial information (bank details)
• Academic records (test and examination results)
• Support details (plans and support providers)
• Behavioural records
• Attendance records
• Safeguarding information
• Health information
• References from previous schools or education providers
• References given to future schools or education providers
• Correspondence between the school and pupils/parents

7.3 Lawfulness, Fairness, and Transparency We process personal data under the following legal bases:

• To fulfil a contract with the individual or take steps at their request before entering a contract
• To comply with a legal obligation
• To protect the vital interests of the individual or another person
• To perform a task carried out in the public interest or in the exercise of official authority
• For legitimate interests pursued by the school or a third party, provided these are not overridden by the individual's rights and freedoms
• With the individual's consent

8. Sharing Personal Data

We share personal data only when necessary and with appropriate safeguards:

• With our staff and teachers to administer education
• With third parties providing services to the school (e.g., IT services)
• With regulatory bodies (e.g., OFSTED, ISI)
• With government authorities (e.g., DfE, HMRC)
• In emergency situations (e.g., with emergency services)
• With other educational institutions (e.g., examination boards)

We ensure all third parties comply with UK data protection law.

9. Subject Access Requests and Other Rights

Individuals have the right to:

• Access their personal data
• Rectify inaccurate data
• Erase data
• Restrict processing
• Object to processing
• Data portability
• Withdraw consent
• Complain to the ICO

Requests should be submitted to the DPO. Staff must forward any received requests to the DPO immediately.

10. Parental Requests to See the Educational Record

Parents have the right to access their child's educational record. Requests should be made in writing and will be processed within 15 school days.

11. Photographs and Videos

We obtain written consent for taking and using photographs and videos of pupils for communication, marketing, and promotional materials. Consent can be withdrawn at any time.

12. Data Protection by Design and Default

We integrate data protection into all processing activities, including appointing a qualified DPO, conducting data protection impact assessments, training staff, and maintaining records of processing activities.

13. Data Security and Storage of Records

We protect personal data against unauthorised access, alteration, and destruction. Data is stored in end-to-end encrypted software (SIMS) with strong passwords. Personal data shared with third parties is secured and protected.

14. Disposal of Records

Personal data no longer needed is disposed of securely. Inaccurate or out-of-date data is also disposed of securely, following the school’s record retention schedule.

15. Personal Data Breaches

The DPO documents and manages data breaches, reporting to the ICO within 72 hours if required.

Contact Details for ICO:

Website: ICO Website

Telephone: 0303 123 1113 or +44 1625 545 700

Email: casework@ico.org.uk

Postal Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

16. Training

All staff and governors receive data protection training during induction and ongoing professional development.

17. Monitoring Arrangements

The DPO monitors compliance with this policy and reviews it annually.

18. Contact Us

If you have any questions about this Privacy and GDPR Policy, please contact us:

• Email: dpo@iwschool.co.uk
• Postal Address: IWS Online School, East Wing Turkey Court, Turkey Mill, Maidstone, England, ME14 5PP

Termination and Refund Policy

At IWS Online School, we strive to provide a transparent and fair approach to our refund policy, ensuring clarity and confidence for our students and their families. We understand that circumstances may change, and we aim to accommodate these changes while maintaining the integrity of our educational services. The following policy outlines the terms and conditions regarding refunds, cancellations, and payments. Our goal is to ensure that all financial transactions are handled with the utmost professionalism and respect for our students and their educational journey with us.

Termination

• Termination by IWS:
• IWS reserves the right to terminate this Agreement immediately by providing written notice to the Customer in the event of non-payment, material breach of the Agreement, or other specified reasons.
• Termination by the Customer:
• Only the official Parent or Guardian may terminate this Agreement.
• The Customer may terminate this Agreement by providing written notice to IWS at least three (3) months prior to the intended termination date. Such notice must be sent either by email to the official email address of IWS or by 1st class signed-for post to the official postal address of IWS.
• Upon termination by the Customer, all outstanding payments must be settled. The Customer is obligated to pay the fees for the three-month notice period following the issuance of the termination notice.
• Any paid deposit will be refunded after all outstanding payments have been made and the termination process is complete.
• No refunds will be provided for any fees already paid upon termination by the Customer.

Cancellation

• Lessons missed by the student will be recorded and made available for later access.
• If IWS cancels a lesson, it will either provide a substitute lesson or make the lesson available as a recorded session.
• No refunds will be issued for cancelled lessons.

Refund

• No refunds will be issued for cancelled lessons.
• Any paid deposit will be refunded after all outstanding payments have been made and the termination process is complete.
• No refunds will be provided for any fees already paid upon termination by the Customer.

Payment

• Fees shall be paid as agreed, either in full or in instalments, as selected by the Customer on the enrolment form.
• If the instalment payment option is selected, an initial payment comprising the first instalment, a deposit equal to 10% of the total fees, and the non-refundable registration fee of £200 is required before the commencement of services. This deposit is non-refundable. For upfront payments, no deposit is required.
• All payments shall be made via bank transfer or by debit/credit card, which may incur a 3% processing fee.
• Charges include VAT at the prevailing rate.
• Overdue payments will incur interest at 4% above the Bank of England's base rate.
• The enrolment form can be submitted only if the payment is successfully checked out.