1. Introduction
1.1 We are committed to safeguarding the privacy of our website visitors; in this policy we explain how we will handle your personal data.
1.2 By using our website and agreeing to this policy.
2. How we use your personal data
2.1 In this Section 2 we have set out:
- the general categories of personal data that we may process;
- the purposes for which we may process personal data; and
- the legal bases of the processing.
2.2 We may process information that you provide to us for the purpose of subscribing to our email notifications and/or newsletters ("notification data"). The notification data may include your name and email address. The notification data may be processed for the purposes of sending you the relevant notifications and/or newsletters. The legal basis for this processing is consent.
2.3 Please do not supply any other person's personal data to us unless we prompt you to do so.
3. International transfers of your personal data
3.1 In this Section 3, we provide information about the circumstances in which your personal data may be transferred to countries outside the European Economic Area (EEA).
3.2 Our Email Marketing Service is situated in the United States. The European Commission has made an "adequacy decision" with respect to the data protection laws of this country. Transfers to this country will be protected by appropriate safeguards, namely the use of standard data protection clauses adopted or approved by the European Commission
4. Retaining and deleting personal data
4.1 This Section 4 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
4.2 Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
4.3 We will retain and delete your personal data as follows:
- Your account data/notification data will be retained until you specifically request it to be deleted from our systems.
5. Amendments
5.1 We may update this policy from time to time by publishing a new version on our website.
5.2 You should check this page occasionally to ensure you are happy with any changes to this policy.
5.3 We may notify you of changes to this policy by email or via a notification on our website.
6. Your rights
6.1 In this Section 6, we have summarised the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
6.2 Your principal rights under data protection law are:
- the right to access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to object to processing;
- the right to data portability;
- the right to complain to a supervisory authority; and
- the right to withdraw consent.
6.3 You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee. You may instruct us to provide you with any personal information we hold about you; provision of such information will be subject to:
- the supply of appropriate evidence of your identity (for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address).
6.4 You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
6.5 In some circumstances you have the right to the erasure of your personal data without undue delay. Those circumstances include: you withdraw consent to consent-based processing; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are certain general exclusions of the right to erasure. Those general exclusions include where processing is necessary: for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.
6.6 In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are: you contest the accuracy of the personal data; processing is unlawful but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
6.7 You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
6.8 You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.
6.9 To the extent that the legal basis for our processing of your personal data is consent, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
6.10 If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
6.11 To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
6.12 You may exercise any of your rights in relation to your personal data by written notice to us or via email to the data protection officer, whose details are outlined below (8.1).
7. Our details
7.1 This website is owned and operated by CAVMS Ltd.
7.2 We are registered in Wales under registration number 05306170, and our registered office is at Severn House, Hazell Drive, Newport, NP10 8FY.
7.3 Our principal place of business is at Henstaff Court Business Centre, Llantrisant Road, Groes Faen, Cardiff, CF72 8NG.
7.4 You can contact us:
- by post, using the postal address given above;
- by telephone, on the contact number published on our website; or
- by email, using the email address published on our website.
8. Data protection officer
8.1 Our data protection officer's contact details are: David Miller, dm@cavms.co.uk
Data Protection Policy
CAVMS Ltd is committed to the protection of all personal and sensitive data for which it holds responsibility as the Data Controller and the handling of such data in line with the data protection principles and the General Data Protection Regulation (GDPR).
The legal basis for processing data are as follows –
(a) Contract: the processing is necessary for the CAVMS team member's contract and student / parent teaching contract.
(b) Legal obligation: the processing is necessary for CAVMS to comply with the law (not including contractual obligations).
The CAVMS members responsible for data protection are mainly David Miller (Director) and John Murray (Director). However all CAVMS team members must treat all student information in a confidential manner and follow the guidelines as set out in this document.
CAVMS is also committed to ensuring that its team members are aware of data protection policies, legal requirements and adequate training is provided to them.
Notification
Our data processing activities will be registered with the Information Commissioner’s Office (ICO) as required of a recognised Data Controller. Details are available from the ICO:
https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/
Changes to the type of data processing activities being undertaken will be notified to the ICO and details amended in the register.
Breaches of personal or sensitive data shall be notified within 72 hours to the individual(s) concerned and the ICO.
Personal and Sensitive Data
All data within CAVMS' control shall be identified as personal, sensitive or both to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates.
The definitions of personal and sensitive data shall be as those published by the ICO for guidance:
https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/
The principles of the Data Protection Act shall be applied to all data processed:
- ensure that data is fairly and lawfully processed
- process data only for limited purposes
- ensure that all data processed is adequate, relevant and not excessive
- ensure that data processed is accurate
- not keep data longer than is necessary
- process the data in accordance with the data subject's rights
- ensure that data is secure
- ensure that data is not transferred without adequate protection.
Children
It is necessary for CAVMS to hold limited data about children (under 16) including name and date of birth. No information will be held other than that provided by the parent/guardian and it will be treated in the same way as all sensitive data as set out in this policy.
Fair Processing / Privacy Notice
CAVMS will be transparent about the intended processing of data and communicate these intentions via notification to team members, parents and pupils prior to the processing of individual’s data.
Notifications shall be in accordance with ICO guidance and, where relevant, be written in a form understandable by those defined as ‘Children’ under the legislation.
https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-noticestransparency-and-control/
There may be circumstances where CAVMS is required either by law or in the best interests of our students or staff to pass information onto external authorities, for example local authorities. These authorities are up to date with data protection law and have their own policies relating to the protection of any data that they receive or collect. The intention to share data relating to individuals to an organisation outside of CAVMS shall be clearly defined within notifications and details of the basis for sharing given. Data will be shared with external parties in circumstances where it is a legal requirement to provide such information.
Data Access Requests (Subject Access Requests)
All individuals whose data is held by us, has a legal right to request access to such data or information about what is held. We shall respond to such requests within one month and they should be made in writing to:
David Miller
CAVMS Ltd
Henstaff Coutrt Business Centre
Llantrisant Road
Groes Faen
Cardiff CF72 8NG
No charge will be applied to process the request.
Personal data about pupils will not be disclosed to third parties without the consent of the child’s parent or carer, unless it is obliged by law or in the best interest of the child.
Data Security and Location
Hard copy data, records, and personal information are stored out of sight and in a locked filing cabinet.
CAVMS acknowledges that some staff may need to transport data between schools and their home in order to access it for work .
The following guidelines are in place for CAVMS team members in order to reduce the risk of personal data being compromised:
- Paper copies of data or personal information should not be taken from the CAVMS office or team members' home. If these are misplaced or lost they are at risk. If there is no way to avoid transporting a paper copy of data , the information should not be on view in public places, or left unattended under any circumstances.
- Unwanted paper copies of data, sensitive information or pupil files should be shredded. This also applies to handwritten notes if the notes reference any other staff member or pupil by name.
- Care must be taken to ensure that printouts of any personal or sensitive information are not left in printer trays or photocopiers.
- If information is being viewed on a shared PC, CAVMS team members must ensure that the window and documents are properly shut down before leaving the computer unattended. Sensitive information should not be viewed on public computers.
- If it is necessary to transport data , it should be downloaded onto a USB stick. The data should not be transferred from this stick onto any public computers. Work should be edited from the USB, and saved onto the USB only.
- USB sticks that staff use must be password protected.
- When using data to contact more than one parent, CAVMS team members must ensure that they blind copy (Bcc:) all recipients to avoid the sharing of personal data.
These guidelines have been clearly communicated to all CAVMS team members, and any person who is found to be intentionally breaching this conduct will be disciplined in line with the seriousness of their misconduct.
Data Disposal
CAVMS recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk. All data held in any form of media (paper, tape, electronic) shall only be passed to a certified disposal partner with demonstrable competence in providing secure disposal services. All data shall be destroyed or eradicated to agreed levels meeting recognised national standards, with confirmation at completion of the disposal process.
Disposal of IT assets holding data shall be in compliance with ICO guidance:
https://ico.org.uk/media/fororganisations/documents/1570/it_asset_disposal_for_organisations.pdf
CAVMS has identified a qualified source for disposal of IT assets and collections.
CAVMS also uses Matthews Confidential Document Shredding to dispose of sensitive data that is no longer required.