Hi , Nice work getting started. Next step: CONTINUE YOUR APPLICATION

Hi , Thanks for your application. A member of our team will be in touch soon. GO TO PORTAL

Hi , As a returning Fellow you’ll save £295 on your next Fellowship. Next step: COMPLETE A FAST TRACK APPLICATION

Hi , Thanks for your application. Next step: LOG IN TO YOUR PORTAL

Hi , Congratulations on being successful at interview. Next step: SECURE YOUR PLACE

Hi , Welcome to the team. Next step: UPDATE YOUR PORTAL

Hi, Because recommended you, you’ll save 100 on any Fellowship. Next step: APPLY

Data Protection Policy

1. Introduction

2. Purpose

3. Objectives

4. Scope

5. Lines of Responsibility

6. Monitoring & Evaluation

7. Implementation

8. Legal Requirements & External Standards

9. Definitions

10. Further Help & Advice

11. Appendices

1. Introduction

Inspiring Teachers is a UK-registered nonprofit that offers a new approach to supporting schools and systems to help teachers improve learning outcomes. We are dedicated to delivering high-quality, sustainable teacher training by working closely with partner organisations in parts of the world where teacher training can improve education.

Inspiring Teachers’ need to communicate and share personal data worldwide also presents significant data protection risks. Inspiring Teachers needs to collect, use and share personal information about Fellows, contractors, consultants, partners, subscribers, visitors, and other individuals in order to deliver services, exercise its responsibilities and duties of care as an employer and provider of training and excursions, and fulfill its legal and contractual obligations. In doing so, Inspiring Teachers must comply with the General Data Protection Regulation 2018, and equivalent legislation in other jurisdictions it operates, such as the Ghana Data Protection Act 2012.

These laws require Inspiring Teachers to protect personal information and control how it is used in accordance with the legal rights of the data subjects – the individuals whose personal data is held.

All staff, volunteers, partners, and other data subjects are entitled to know:

  • What information Inspiring Teachers holds and process about them and why
  • How to gain access to it
  • How to keep it up to date
  • What Inspiring Teachers is doing to comply with its legal obligations under privacy law

2. Purpose

This policy and its supporting procedures and guidance aim to ensure that Inspiring Teachers complies with its obligations operating under the General Data Protection Regulation, 2018 (GDPR), and processes all personal data in compliance with the data protection principles set out in the GDPR.

These state that data shall:

  • Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
  • Be adequate, relevant, and not excessive for those purposes
  • Be accurate and kept up-to-date
  • Not be kept for longer than is necessary for that purpose
  • Be processed in accordance with the data subjects’ rights
  • Be kept safe from unauthorized access, accidental or deliberate loss or destruction
  • Not be transferred to a country outside European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. To fulfill the contractual duties of delivering Fellowships, Inspiring Teachers will use the exceptions set out in Schedule 4 of the Act to transfer Fellows’ personal data in territories outside the EEA.

To manage these risks, this policy sets out responsibilities for all managers, staff and contractors, and anyone that can access or use personal data in their work for Inspiring Teachers.

The policy also sets out a framework of governance and accountability for data protection compliance across Inspiring Teachers. It forms part of Inspiring Teachers’ Information Security Management System (ISMS). This incorporates all policies and procedures required to protect Inspiring Teachers’ information by maintaining:

  • Confidentiality: protecting information from unauthorized disclosure
  • Integrity: safeguarding the accuracy and completeness of the information and preventing its unauthorized amendment or deletion
  • Availability: ensuring that information and associated services are available to authorized users whenever and wherever required

3. Objectives

Inspiring Teachers will apply the Data Protection Principles to the management of all personal data throughout the information lifecycle by following policy objectives.

We will:

3.1. Apply privacy by design principles when developing and managing information systems containing personal data.

This means that we will

  1. Use proportionate privacy assessment to identify and mitigate data protection risks at an early stage of the project and process design for all new or updated systems and processes that present privacy concerns and in managing upgrades to enhancements to systems used to process personal data
  2. Adopt data minimization: we will collect, disclose and retain the minimum personal data for the minimum time necessary for the purpose
  3. Anonymise personal data wherever necessary and appropriate, for instance when using it for statistical purposes

3.2. Process personal data fairly and lawfully

This means that we will

  • Only collect and use personal data in accordance with the conditions specified under the Data Protection Act
  • Ensure that if we collect someone’s personal data for one purpose e.g. to place them on a Fellowship, we will not reuse their data for a different purpose that the individual did not agree to or expect e.g. to market our service to an external supplier
  • Treat people fairly by using their personal data for purposes and in a way they would reasonably expect.

3.3. Seek informed consent when it is appropriate to do so

This means that we will seek the consent of individuals to collect and use their personal data

  • Whenever the law requires us to do so, or
  • Where the consent will be specific, informed, and freely given.

In some circumstances, it is not appropriate to seek an individual’s consent to process their data. For instance

  • Where Inspiring Teachers is required to process personal data by law, for instance, to comply with Home Office immigration rules, or
  • Where we disclose personal data to the police to assist a criminal investigation and seeking the individual’s consent would frustrate the purpose of the investigation by tipping off a suspect
  • Where we need to process someone’s personal data to fulfill a contract or our legitimate purposes, such as booking accommodation for fellows, the individual cannot reasonably refuse or withdraw consent

We will explain

  • What personal data collection is voluntary and why and the consequences of not providing it
  • What personal data collection is mandatory and why we are entitled or obliged to process their data, for instance as a condition of employment or enrolment on a Fellowship

3.4. Inform data subjects what we are doing with their personal data

This means that, at the point that we collect personal data, we will explain in a clear and accessible way,

  • What personal data we collect
  • For what purposes
  • Why we need it
  • How we use it
  • How we will protect their personal data
  • To whom we may disclose it and why
  • Where relevant, what personal data we publish and why
  • How data subjects can update their personal data that we hold
  • How long we intend to retain it

We will publish this information, tailored for fellows, staff and other groups of people on our website and where appropriate in printed formats. We will review the content of these Privacy Notices regularly and inform our data subjects of any significant changes that may affect them. We will provide simple and secure ways for our fellows, staff and other data subjects to update the information that we hold about them such as home addresses.

Where we process personal data to keep people informed about Inspiring Teachers activities and events we will provide in each communication a simple way of opting out of further marketing communications.

In this way, we will provide accountability for use of personal data and demonstrate that we will manage people’s data in accordance with their rights and expectations.

3.5. Uphold individuals’ rights as data subjects

We will uphold their rights to

  • Access a copy of the information comprising their personal data, responding to requests of their own personal data (subject access requests) in a fair, friendly, and timely manner
  • Object to processing that is likely to cause or causes unwarranted and substantial damage or distress
  • Prevent processing for direct marketing
  • Object to decisions being taken by automated means
  • Have inaccurate personal data rectified, blocked, erased, or destroyed in certain circumstances
  • Claim compensation for damages caused by a breach of the UK Data Protection Act.

3.6. Protect personal data

This means we will;

  • Control access to personal data so that staff, contractors, volunteers, and other people working on Inspiring Teachers business only see such personal data as is necessary for them to fulfil their duties
  • Require all Inspiring Teachers staff, contractors, volunteers, and others who have access to personal data in the course of their work to complete basic data protection training, supplemented as appropriate by procedures and guidance relevant to their specific roles
  • Set and monitor compliance with security standards for the management of personal data as part of Inspiring Teachers’ wider framework of information security policies and procedures
  • Provide appropriate tools for staff, contractors, volunteers, and others to use and communicate personal data securely when working anywhere, for instance through the provision of a secure virtual private network, encryption, and cloud solutions
  • Take all reasonable steps to ensure that all suppliers, contractors, agents, and other external bodies, and individuals who process personal data for Inspiring Teachers enter into our Data Processor Agreements and comply with auditable security controls to protect the data in compliance with our procedures for approving, monitoring and reviewing personal data processing agreements. (we need to develop these)
  • Maintain Data Sharing agreements with educational partners and other external bodies with whom we may need to share fellow, staff, and personal data to deliver shared services or joint projects to ensure proper governance, accountability, and control over the use of such data
  • Ensure our staff and volunteers are aware of how privacy law applies to their use of personal data in their work and how they can take appropriate steps to protect their own personal data and respect the privacy of others
  • Manage all subject access and third party requests for personal information about staff, volunteers, and other data subjects in accordance with our procedures for responding to requests for personal data
  • Make appropriate and timely arrangements to ensure the confidential destruction of personal data in all media and formats when it is no longer required for Inspiring Teachers’ business.

3.7. Retain personal data only as long as required

We will

  • Apply Inspiring Teachers’ records retention policies relevant to each service function
  • Keep records locally as long as required as outlined by these policies, then
  • Destroy them securely in a manner appropriate with their format, or
  • Transfer them by arrangement with heritage and information governance for longer-term storage or archival preservation
  • Some Inspiring Teachers records containing personal data are designated for permanent retention as archives for historical and statistical purposes. When managing access to archives with personal data we will
  • Apply exemptions to public rights of access to information as appropriate in accordance with data subjects’ rights to privacy
  • Redact personal data, or withhold specific categories of records, such as Fellow records, for the lifetime or the subject and an identifiable next of kin.

4. Scope

4.1. What information is included in the policy

This policy applies to all personal data created or received in the course of Inspiring Teachers business in all formats, of any age. Personal data may be held or transmitted in paper and electronic formats or communicated verbally in conversation or over the telephone.

4.2. Who is affected by the policy

Data subjects

These include, but are not confined to prospective applicants, applicants to programs and posts, current and former fellows, volunteers and employees and family members where emergency next of kin contacts are held, workers employed through temp agencies, directors, partners, teachers being trained and their students, researchers, customers, potential and actual donors, people making requests for information or enquiries, complainants, professional contacts and contractors.

Users of personal data

The policy applies to anyone who obtains records, can access, store or use personal data in the course of their work for Inspiring Teachers. Users include employees and volunteers such as fellows, contractors, suppliers, agents, Inspiring Teachers partners, and visitors.

4.3. Where the policy applies

This policy applies to all locations from which Inspiring Teachers’ personal data is accessed including home use.

As Inspiring Teachers operates internationally with partners in other jurisdictions – through its projects in Cambodia, Guyana, Ghana, Tanzania, Uganda, Rwanda, Nepal, India, Malaysia, Belize, and Laos and recruitment of fellows in the UK, United States of America, Australia, New Zealand, and Canada – the remit of the policy shall include such overseas operations and internal activities and shall pay due regard to non-UK legislation that might be applicable.

5. Lines of Responsibility

All users of Inspiring Teachers information are responsible for

  • Undertaking relevant training and awareness activities provided by Inspiring Teachers to support compliance with this policy
  • Taking all necessary steps to ensure that no breaches of information security result from their actions
  • Reporting all suspected information security breaches or incidents promptly to allow appropriate action to be taken to minimize harm
  • Informing Inspiring Teachers of any changes to the information they have provided in connection with their employment or activities, for instance, change of address

Inspiring Teachers’ directors, as the collective chief executive officer of Inspiring Teachers, have ultimate accountability for Inspiring Teachers’ compliance with data protection law.

The Operations Director has senior management accountability for information governance including data protection management, reporting to Inspiring Teachers’ directors and risk committee on relevant risks and issues.

The Director responsible for Inspiring Teachers’ governance and legal services has senior management responsibility for information governance including data protection management and for providing proactive leadership to instill a culture of information security within Inspiring Teachers through a clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities.

The Digital Communications and Compliance Manager Is the designated data protection officer, who is responsible for recommending information governance and security strategy to the Director responsible for governance and legal services and has executive oversight of policies, procedures, and controls to manage information security and data protection.

All directors, managers, project and team leaders are responsible for implementing the policy with their business areas and the adherence of their teams. This includes

  • Assigning generic and specific responsibilities for data protection management
  • Managing access rights for information and systems to ensure that staff, contractors, and agents access only the personal data necessary for them to fulfil their duties
  • Ensuring that all staff in their business areas undertake relevant training provided by Inspiring Teachers and are aware of their accountability for data protection
  • Ensuring that staff responsible for any locally managed IT services put in place Inspiring Teachers IT security controls

Inspiring Teachers’ Directors are responsible for:

  • Ensuring that Inspiring Teachers’ IT systems and services take account of relevant data protection risks and are integrated into the information security management system and for promoting IT security among relevant staff
  • Reviewing relevant human resources policies and procedures in order to support managers and staff in understanding and discharging their responsibilities for data protection through the recruitment, induction, training, discipline, and leaver management processes
  • Reviewing relevant applicant administration policies and procedures to integrate with the information security management system and for oversight of the management of applicants’ records and associated personal data across Inspiring Teachers.
  • Ensuring data protection and wider information security controls are integrated within the risk, business continuity management, and audit programs and liaising with insurers to ensure that the information security management system meets insurance requirements.
  • Ensuring that controls to manage Inspiring Teachers’ physical security takes account of relevant data protection risks and are integrated into the information security management system.
  • Reviewing the effectiveness of data protection policies and procedures as part of its wider oversight of information security management.

6. Monitoring & Evaluation

Inspiring Teachers will monitor new and ongoing data protection risks and update the information security risk register, reporting this as promptly as required to the head of risk and audit management.

The information governance and security lead will annually report to the risk management group on Inspiring Teachers’ compliance with the data protection policy. The operations director as the head of the information governance and security is responsible for escalating major risks arising from a breach of information security or other major issues that affect strategic and operational risks to directors. The chair will report when necessary to directors as part of a wider communications strategy to promote a culture of responsible information security management across Inspiring Teachers.

The director responsible for governance and legal services is responsible for meeting any reporting requirements of external regulatory bodies.

As part of Inspiring Teachers, the trustees will instruct Inspiring Teachers’ internal auditors to audit the management of information security risks and compliance with relevant controls, as needed.

7. Implementation

This policy is implemented through the development, implementation, monitoring, and review of the components of Inspiring Teachers’ security management systems.

These include:

  • Heads of functions and projects undertake information risk assessments to identify and protect confidential and business-critical information assets and IT systems
  • Coordination between relevant heads of functions to integrate IT, physical security, people, information management, risk management, and business continuity. This will ensure that Inspiring Teachers has effective and proportional security controls
  • Review and refreshment of all relevant policies and procedures
  • Designation of information governance coordinators
  • Generic and role-specific training and awareness
  • Embedding information governance requirements in procurement and project planning
  • Information security incident management policies and procedures
  • Business continuity management
  • Monitoring compliance and reviewing controls to meet business needs
  1. Related Policies, Procedures, and Further References
  2. Inspiring Teachers policies and procedures

This policy forms part of a connected set of Inspiring Teachers’ information policies and procedures. They aim to develop a positive culture of information security throughout the organization as a holistic information security management system to protect Inspiring Teachers’ information by maintaining confidentiality, integrity, and availability.

This policy should be read in conjunction with Inspiring Teachers’ information governance and website terms policies, which are reviewed and updated as necessary to meet Inspiring Teachers’ business needs and legal obligations.

Managers of people whose roles do not require Inspiring Teachers IT access are responsible for briefing their staff, volunteers, or contractors on their responsibility to all policies that affect their work.

Effective data protection and information security controls are necessary to comply with the UK and Scottish law and other relevant law in all jurisdictions that Inspiring Teachers operates.

Legislation that places specific data protection, information security and record-keeping obligations on organisations includes, but is not limited to:

  • Computer Misuse Act 1990
  • Data Protection Act 1998
  • The Data Protection (Processing of Sensitive Personal Data) Order 2000
  • Environmental Information (Scotland) Regulations 2004
  • Freedom of Information (Scotland) Act 2002
  • Privacy and Electronic Communications Regulations 2003
  • Regulation of Investigatory Powers Act 2000
  • Regulation of Investigatory Powers (Scotland) Act 2000
  • Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
  • General Data Protection Regulation 2018

All current UK Legislation is published at http://www.legislation.gov.uk/

UK Information Commissioner’s Office (ICO) Statutory Codes of Practice, including:

  • Anonymisation
  • CCTV
  • Data Sharing
  • Employment Practices
  • Personal Information Online
  • Privacy Notices
  • Subject Access

Guidance, including:

  • Bring Your Own Device
  • Cloud Computing
  • Data controllers and data processors: what the difference is and what the governance implications are
  • Data security breach management
  • International Data Transfers
  • IT Asset Disposal
  • Privacy and Electronic Communications
  • Privacy Impact Assessment

https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/

9. Definitions

Information

The definition includes, but is not confined to, paper and electronic documents and records, email, voicemail, still and moving images and sound recordings, the spoken word, data stored on computers or tapes, transmitted across networks, printed out or written on paper, carried on portable devices, sent by post, courier or fax, posted onto intranet or internet sites or communicated using social media.

Personal Data

Information in any format that relates to a living person can be identified from that information or other information held by Inspiring Teachers, its contractors, agents, and partners, or other third parties.

Although the Data Protection Act applies only to living people, the scope of this policy also includes information about deceased individuals. This is because disclosure of information about the deceased may still be in breach of confidence or otherwise cause damage and distress to living relatives and loved ones.

Sensitive Data

Sensitive personal data (as defined in Section 2 of the Data Protection Act 1998) is personal data relating to an identifiable individual’s:

  • racial or ethnic origin;
  • political opinions;
  • religious or other beliefs;
  • membership of a trade union;
  • physical or mental health or condition;
  • sexual life;
  • proven or alleged offenses, including any legal proceedings and their outcome.

In addition, Inspiring Teachers’ definition of High-Risk Confidential Information includes the following personal data:

“Any other information that would cause significant damage or distress to an individual it was disclosed without their consent, such as bank account and financial information, marks or grades.”

Data Controller

An organisation that determines the purposes for which personal data is processed and is legally accountable for the personal data that it collects and uses or contracts with others to process on its behalf.

Data Processor

In relation to personal data, any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Data Subject

A person whose personal data is held by Inspiring Teachers or any other organisation.

Processing

Creating, storing, accessing, using, sharing, disclosing, altering, updating, destroying, or deleting personal data.

Information Security Management System

That part of the overall management system based on a business risk approach to establish, implement operate, monitor, review, maintain and improve information security. The management system includes organisational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources.

Confidential Information

The definition of confidential information can be summarised as:

  • Any personal information that would cause damage or distress to individuals if disclosed without their consent;
  • Any other information that would prejudice Inspiring Teachers or another party’s interests if it were disclosed without authorization.

10. Further Help & Advice

For further information and advice about this policy and any aspect of information, security contact the Data Protection Officer at:

Email: info@inspiringteachers.org

Address: 21 Oak Green, Billericay, CM11 2JU

11. Appendices

Appendix 1: Conditions for processing personal data

The individual who the personal data is about has consented to the processing.

The processing is necessary:

  • in relation to a contract which the individual has entered into; or,
  • because the individual has asked for something to be done so they can enter into a contract.

The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).

The processing is necessary to protect the individual’s “vital interests”.

This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.

The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.

The processing is necessary for

  • the legitimate interests of the data controller, or
  • the third party or parties to whom the data are disclosed,

Except where the processing is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject

Appendix 2: Conditions for Inspiring Teachers to Process Sensitive Personal Data

The individual who the personal data is about has consented to the processing.

The processing is necessary:

  • for Inspiring Teachers to comply with employment law
  • in relation to a contract which the individual has entered into; or
  • because the individual has asked for something to be done so they can enter into a contract.

The processing is necessary to protect the vital interests of: -

  • the individual (in a case where the individual’s consent cannot be given or reasonably obtained),
  • another person (in a case where the individual’s consent has been unreasonably withheld).

The processing is carried out by a not-for-profit organization and does not involve disclosing personal data to a third party unless the individual consents. Extra limitations apply to this condition.

The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.

The individual has deliberately made the information public.

The processing is necessary for relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising, or defending legal rights.

The processing is necessary for administering justice, or for exercising statutory or governmental functions.

The processing is necessary for medical purposes and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.

The processing is necessary for monitoring equality of opportunity and is carried out with appropriate safeguards for the rights of individuals.

The processing is in the substantial public interest and is necessary for

  • prevention or detection of any unlawful act; and
  • must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice those purposes.

The processing is in the substantial public interest and is necessary for the discharge of any function which is designed for protecting members of the public against ;

  1. dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person, or;
  2. mismanagement in the administration of, or failures in services provided by, anybody or association; and;
  3. must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the discharge of that function.

The disclosure of personal data is in the substantial public interest in connection with  (i) the commission by any person of any unlawful act (whether alleged or established);

  1. dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person (whether alleged or established), or;
  2. mismanagement in the administration of, or failures in services provided by, anybody or association (whether alleged or established);
  3. is for journalism, artistic or literary purposes, and
  4. is made with a view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest.

The processing is in the substantial public interest and is necessary for  the discharge of any function which is designed for the provision of confidential counseling, advice, support, or any other service; and carried out without the explicit consent of the data subject because the processing

  1. is necessary in a case where consent cannot be given by the data subject,
  2. is necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of the data subject, or
  3. must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the provision of that counseling, advice, support, or another service.

The processing is necessary for the purpose of (i) carrying on insurance business, or (ii) making determinations in connection with eligibility for, and benefits payable under, an occupational pension scheme;

  • is of sensitive personal data consisting of information falling within section 2(e) of the Act relating to a data subject who is the parent, grandparent, great grandparent or sibling of the insured person, or (ii)in the case of paragraph (a)(ii), the member of the scheme;
  • is necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of that data subject and the data controller is not aware of the data subject withholding his consent; and
  • does not support measures or decisions with respect to that data subject.

The processing is in the substantial public interest and;

  • is necessary for research purposes
  • does not support measures or decisions with respect to any particular data subject otherwise than with the explicit consent of that data subject; and
  • does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person.

Last updated: 25 May 2021

×

Sources

  1. World Bank 2018, Successful Teachers, Successful Students [link]
  2. Successful Teachers, Successful Students; 2019 [link]