PRIVACY AND DATA USAGE POLICY
Privacy, security, and ethical usage of data are company-wide imperatives at Studious and must guide how we handle data every day. Studious is committed to protecting the privacy and security of the data we handle, and ensuring we use, process, and share it responsibly.
Version Date Last Amended By Comments 1.0 July 2020 Cracknell Law First draft
- PART 1: Purpose
- PART 2: Objective
- PART 3: Scope
- PART 4: Responsibilities
- PART 5: Principles
“Associates” means all Studious employees, contractors, agents, sub-contractors, volunteers, service providers, subsidiaries, majority-owned joint ventures and any other individuals who access, use or maintain databases containing Personal Data held by Studious.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Discloser” means a party that provides Personal Data relating to a Data Subject to Studious.
“Data Protection Laws” means all applicable privacy and data protection laws and regulations, including without limitation, the General Data Protection Regulations (EU) 2016/679), and the Data Protection Act 2018.
“Data Subject” means an identified or identifiable natural person.
“Personal Data” means any information relating to a Data Subject, in particular where the Data Subject can be identified, directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
“Sensitive Personal Data” is any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
PART 1: PURPOSE
- address Studious’ approach and procedure to Collection, Use, Disclosure, and Retention of data relating to any natural persons;
- create a uniform set of data protection guidelines that must be applied to all Studious services, processes, and technologies, that utilise individual-level data and by all Studious Associates unless otherwise specified;
- base the Studious data processing activities on principles enshrined in Data Protection Laws that are the foundation for privacy laws within the UK and across the EU; and
- provide a working code to be available for inspection by:
- all Studious Associates;
- the Information Commissioners Office (and all data processing authorities the data processing activities are subject to);
- government agencies;
- Customers / clients (on request and agreed by senior management);
- self-regulatory bodies; and
- industry or advocacy groups.
PART 2: OBJECTIVES
- comply with all relevant Data Protection Laws to which Studious has subscribed;
- operate according to a consistent set of standards and practices relating to privacy and data use across our organisation;
- reflect the privacy practices and requirements of our customers who share data with us;
- recognise distinct types of data and apply appropriate controls to them throughout their lifecycle;
- consider privacy impacts and build privacy protections throughout every stage of development and deployment of our products and services;
- safeguard the confidentiality of all those whose data we hold and use;
- escalate issues or instances of non-compliance; and
- seek help when questions arise about interpreting or applying privacy and data use rules.
PART 3: SCOPE
- all mediums used to collect Personal Data, regardless if this is hard copy, digital or any other form of data collection and storage method;
- all Studious Associates;
- all data about a natural person (whether identified or not) provided to Studious directly by individuals, including job applicants, employees, customers and all others whose data will be processed and held by Studious; and
- all data about a natural person (whether identified or not) collected by Studious in the course of business via third party providers, marketing insight methods (including but not limited to telephone, website, cookies, direct mail or other channels of information gathering) or any other data input provided to Studious at any time.
PART 4: RESPONSIBILITIES
Studious has assigned key roles across the organisation to ensure the core functions of data protection are monitored correctly during the normal undertakings of the business. The individuals responsible and their respective roles are listed below:
- DPO / Information Lead
- if you are unsure of the lawful basis which you are relying on to process Personal Data (including the legitimate interests used by Studious);
- if you need to rely on consent and/or need to capture explicit consent;
- if you need to draft privacy notices or fair processing notices;
- if you are unsure about the retention period for the Personal Data being processed;
- if you are unsure about what security or other measures you need to implement to protect Personal Data;
- if there has been a Personal Data Breach;
- if you are unsure on what basis to transfer Personal Data outside the EEA;
- if you need any assistance dealing with any rights invoked by a Data Subject;
- whenever you are engaging in a significant new, or change in, processing activity which is likely to require a data protection impact assessment or plan to use Personal Data for purposes others than what it was collected for;
- if you plan to undertake any activities involving automated processing including profiling or automated decision-making;
- if you need help complying with applicable law when carrying out direct marketing activities; or
- if you need help with any contracts or other areas in relation to sharing Personal Data with third parties (including our vendors).
PART 5: PRINCIPLES
- processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency);
- collected only for specified, explicit and legitimate purposes (Purpose Limitation);
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data Minimisation).
- accurate and where necessary kept up to date (Accuracy);
- not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is processed (Storage Limitation); and
- processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality).
We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).
Studious has incorporated these principles into the guidance framework set out in the principles below.
- Privacy by design and by default
All new projects, services and products devised and undertaken by Studious will undergo assessment of their impact on data privacy and have the requisite privacy protections embedded into them by design from the outset. During the initial phase of new ventures or alterations to existing procedures involving Personal Data, Studious will always consider the need for a data protection impact assessment and conduct one as necessary. All new ventures of this type will be reviewed and approved by the Information Lead / DPO.
- Accountability to Data Subjects
It is Studious’ policy to ensure regulation compliant guardianship of all Personal Data in our control. All data processing is documented with the lawful grounds for processing and accessing, altering or disposing of the information recorded. We take steps to prevent the data we collect in the course of performing our services from being reused in ways that could have negative impacts for individuals.
It is Studious’ policy to investigate all complaints regarding our privacy and data use practices and take remedial action where appropriate. All Studious Associates who receive a privacy related complaint must escalate it to the Information Lead / DPO without delay.
Personal Data will only ever be used for the purpose it was initially intended to be used for prior to collection. Any subsequent alterations in use will not be incompatible with the original purpose and Data Subjects will be informed of this alternative use and in relevant cases, asked for their consent prior to undertaking further processing in another lawful basis is not suitable.
In the event of a data security breach, all Data Subjects will be notified by Studious if there is a high risk to their rights and freedoms provided under the principles of current Data Protection Laws.
- Ensuring a Lawful Basis for Processing at all Times
Processing of Personal Data is only ever permitted under one of the following lawful grounds for processing:
- Necessary for performance of a contract: Personal Data can be processed by Studious in order to establish, execute or terminate a contract to which the Data Subject is party to.
- Consent has been provided by the Data Subject or their parent / guardian: When we provide individuals choices concerning their Personal Data, we will do so at a time and in a context that allows Personal Data Subjects such as, employees, customers and the general public to make informed, timely decisions about our use of their data. When we are required to seek consent for usage of Personal Data, we do so with an ‘opt-in’ method, which clarifies what information will be collected, precisely how it will be used and who (if anyone) it will be shared with. Studious always notifies individuals by the means most appropriate to each individual in each specific situation. This enables individuals to give active consent to how their Personal Data is used and always provides an option to withdraw this consent at any time. Studious will always keep an up to date record of permissions given by individuals and exactly what these consents relate to.
- Processing in the Legitimate Interests of the Controller: Personal Data can be processed on the basis of legitimate interests, unless the interests pursued by Studious are overridden by the rights of the Data Subject. If a risk to the Data Subject is present due to processing under the legitimate interests of the Controller, Studious will conduct a legitimate interests assessment and notify Data Subjects of the presence and outcome of this assessment, providing an overview of the procedure on request.
- Requests for Processing pursuant to a legal obligation: Processing may be required by law. The type and extent of Processing will be limited to legally authorised processing activity and will always comply with a relevant statutory provision.
- Data Quality, Access, Alteration and Erasure
It is our policy to take reasonable and practical steps to ensure that the data we collect, use and disclose is complete, accurate, relevant, not misleading and up-to-date.
All Data Subjects are entitled to know what Personal Data Studious holds about them and on request, they should be provided with all the information they are eligible to receive. Providing Studious can safely confirm the identity of the requesting individual, Studious will provide information regarding:
- whether or not Personal Data is being processed and where;
- identity of the Controller;
- reasons for processing their Personal Data;
- information about the purpose of processing their Personal Data;
- which categories of Personal Data are being processed;
- how long the Personal Data will be stored for (or the mechanism to determine this);
- the right to rectification and erasure of Personal Data;
- the right to object to processing the Personal Data;
- the right to complain to the Information Commissioner’s Office (ICO);
- where Personal Data was not collected directly from the Data Subject, where it originated;
- the names of third parties who have received or will receive the Personal Data;
- the existence of any automated processing and the logic its decisions are based upon; and
- copies of the specific Personal Data being processed if requested by the Data Subject.
Studious holds and processes the following categories of information in electronic and/or paper form:
- personal details (name, date of birth, home address, private email, work email, telephone number, etc);
- education detail (CV, work history, etc);
- financial details (bank account, credit card details, transaction data);
- customer information (name, address, contractual details, etc); and
- medical information.
Personal Data relating to Data Subjects is used for:
- providing our services to students and customers;
- operating and servicing our website and apps (cookie information will always be provided to users);
- providing marketing in-line with the appropriate legal requirements and permissions given by the Data Subject; and
- in so far as it is necessary, establishing or defending any legal claims relevant to Studious or for the purposes of cooperating with any legitimate law enforcement requests.
The categories of information held by Studious and the purposes of processing will be updated as required in the Privacy Notice provided on the Studious website.
Those working within Studious should refer to the Studious Subject Access Request Policy for further information on correctly responding to external requests for information.
As stated in Studious Privacy Notice, all individuals whose data is being processed have the right to object to processing. If individuals feel their data is being processed without lawful grounds or fair and legitimate reason, Studious will consider this objection and if in agreement, will cease processing and erase the Personal Data in question to ensure the rights of the Data Subject are upheld.
On receipt of a legitimate request from a Data Subject, Studious will erase, restrict or transfer Personal Data to another Controller in accordance with the Studious Subject Access Request Policy.
- Data Accuracy
Studious will always endeavour to ensure Personal Data is accurate and up to date.
It is the responsibility of all employees who work with Personal Data to take reasonable steps to ensure it is kept as accurate and up to date as possible, including without limitation:
- Personal Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets;
- staff should take every opportunity to ensure that Personal Data is updated;
- Personal Data should be updated as inaccuracies are discovered; and
- it is the nominated employee responsible for compliant marketing practices’ responsibility to ensure marketing databases are regularly checked against industry suppression files (e.g. mailing opt-outs / telephone preference services).
- Adequate Notification
Notices informing individuals of our use of their Personal Data will always state how information will be used prior to collection. The information will always detail how Personal Data is collected, who will control the data, why it is being collected, the groups of third parties that may receive the data from us, how long it will be held, how Data Subjects can access the data, what rights they have regarding the data and who to contact if they wish to lodge a complaint.
Adequate notices will be given at every point Personal Data is collected from Data Subjects unless the information was provided by a third party. In this instance, notification will occur as soon as Studious contact the Data Subject or within one month of receiving their Personal Data.
- Data Minimisation and Retention
Personal Data shall only be collected and stored to the extent that it is necessary for Studious to perform the specific purpose the data was collected for. Studious will continue to review our ongoing Personal Data collection procedures to ensure these limits are not exceeded.
Our Data Retention Policy shall be continually reviewed and adhered to. Personal Data shall not be kept by Studious without time limitations specific to each category. Once time limits expire on each category of Personal Data Studious shall dispose of the Personal Data in a manner which ensures the ongoing privacy of the Data Subject is upheld.
If Personal Data is gathered from a third-party source, Studious will always ensure safeguards to the privacy of Data Subjects by obtaining contractual representations from the third party to demonstrate that the data was collected via a lawful and compliant method.
- Collection and use of Children’s Personal Data
When collecting Personal Data regarding a child Data Subject, Studious always obtains the consent of a parent or guardian or ensures that this has been provided by the relevant Data Discloser. In accordance with our consent policy, this can be withdrawn at any time. Any services that may be directed at a child Data Subject will always provide a relevant, clear privacy notice detailing the purpose of collecting the information in a manner which the child Data Subject can easily understand.
- Record Keeping
The GDPR requires us to keep full and accurate records of all our data processing activities. You must keep and maintain accurate corporate records reflecting our processing including records of Data Subjects’ consents and procedures for obtaining consents.
These records should include, at a minimum, the name and contact details of the Data Controller and the DPO, clear descriptions of the Personal Data types, Data Subject types, processing activities, processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data’s retention period and a description of the security measures in place. In order to create such records, data maps should be updated regularly, which should include the detail set out above together with appropriate data flows.
- Disclosure to Third Parties
Studious’ policy is to ensure that any transfer of Personal Data to third parties is accompanied by a contractual agreement to ensure that those third parties only use the data for the purpose we have granted and to keep that Personal Data sufficiently protected and confidential. All agreements with any third party Processors will ensure the ongoing compliance with all applicable Data Protection Laws.
All transfers to third parties must comply with the following conditions for sharing Personal Data:
- they have a need to know the information for the purposes of providing the contracted services;
- sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained;
- the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
- the transfer complies with any applicable cross border transfer restrictions; and
- a fully executed written contract that contains GDPR approved third party clauses has been obtained.
If Personal Data has been disclosed to any third party and the Data Subject has exercised their right to rectify, erase or block the processing of that information, Studious will promptly notify the third party in question and ensure that the Data Subject’s rights are upheld.
In certain circumstances Studious is required to disclose Personal Data to law enforcement agencies without the consent of the Data Subject. When required to do so, Studious will always ensure that the request is legitimate and the response is taken with the authority of the highest level of management.
- Security of Personal Data
Studious has implemented a series of technical and organisational security measures to protect Personal Data in our control from being unlawfully accessed, altered, destroyed or disclosed.
In addition to the information security protocols, Studious Associates must always follow sensible guidelines when accessing Personal Data. The measures to follow will be included in all training and awareness, including:
- when working with Personal Data, employees should ensure the screens of their computers are always locked when left unattended;
- Personal Data should not be shared informally;; and
- Associates should not save copies of Personal Data to their own computers for longer than strictly necessary.
All Personal Data breaches will be assessed for severity by the most senior level of management and reported as necessary to the ICO and the relevant Data Subjects in line with the Studious Data Breach Notification Policy.
- Transfer of data
It is our policy to comply with local laws respecting cross-border data transfers. Studious always ensures that enforceable contractual terms are agreed with any Processor of Personal Data functioning outside of the scope of Data Protection Laws. If non-EU Processors or sub-processors are used, a copy of the safeguard employed to transfer the Personal Data outside of the EU will be made available to all Data Subjects on request.