Data Protection Policy

1. INTRODUCTION 

1.1. The International School of Nanshan (“the school”) collects and uses certain types of personal information about staff, pupils, parents, and other individuals who encounter the school to provide education and associated functions. To carry out our ordinary duties to staff, pupils, and parents, we process a wide range of personal data about individuals (including current, past, and prospective staff, pupils, or parents) as part of our daily operations. The school may be required by law to collect and use certain types of information to comply with statutory obligations related to employment, education and safeguarding, and this policy is intended to ensure that personal information is dealt with properly and securely and in accordance with the General Data Protection Regulation (“GDPR”), the Data Protection Act 2018 and the Personal Information Laws (PIPL) of the Peoples Republic of China. 

1.2. The GDPR/PIPL applies to all computerized data and manual files if they come within the definition of a filing system. Broadly speaking, a filing system is one where the data is structured in some way that it is searchable on the basis of specific criteria, so you would be able to use criteria like the individual’s name to find their information. 

1.3. This policy will be updated as necessary to reflect best practice, or amendments made to data protection legislation, and shall be reviewed annually. 

1.4. This policy applies alongside the Schools Acceptable Use Policy and any other information the school may provide about a particular use of personal data, for example when collecting data. 

1.5 Anyone who works for, or acts on behalf of, the school (including staff, volunteers, governors, and service providers) is required to be aware of and comply with this policy.

2. PERSONAL DATA 

2.1. ‘Personal data’ is information that identifies an individual and includes information that would identify an individual to the person to whom it is disclosed because of any special knowledge that they have or can obtain. A sub-set of personal data is known as ‘special category personal data’. This special category data is information that reveals: 

  • Race or ethnic origin
  • Nationality
  • Academic progress
  • Physical or Mental Health
  • Sexual orientation and Gender
  • Marital Status
  • Parental Status

2.2. Special Category Data is given special protection, and additional safeguards apply if this information is to be collected and used.

2.3. The school does not intend to seek or hold Special Category Data (previously known as sensitive personal data) about staff or students except where the school has been notified of the information, or it comes to the school’s attention via legitimate means (e.g., a grievance) or needs to be sought and held in compliance with a legal obligation or as a matter of good practice. Staff or students are under no obligation to disclose this information, save to the extent that details of marital status and/or parenthood are needed for other purposes, e.g., honeymoon leave requests, maternity/paternity leave requests. 

3. THE DATA PROTECTION PRINCIPLES 

3.1. The data protection principles as laid down in the GDPR/PIPL are followed at all times: 

3.1.1. personal data shall be processed fairly, lawfully and in a transparent manner, and processing shall not be lawful unless one of the processing conditions can be met. 

3.1.2. personal data shall be collected for specific, explicit, and legitimate purposes, and shall not be further processed in a manner incompatible with those purposes. 

3.1.3. personal data shall be adequate, relevant, and limited to what is necessary for the purpose(s) for which it is being processed. 

3.1.4. personal data shall be accurate and, where necessary, kept up to date. 

3.1.5. personal data processed for any purpose(s) shall not be kept in a form which permits identification of individuals for longer than is necessary for that purpose/those purposes. 

3.1.6. personal data shall be processed in such a way that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. 

3.2. In addition to this, the school is committed to ensuring that at all times, anyone dealing with personal data shall be mindful of the individual’s rights under the law. 

3.3. The school is committed to complying with the principles in 3.1 at all times. This means that the school will: 

3.3.1. inform individuals about how and why we process their personal data through the privacy notices which we issue.

3.3.2. be responsible for checking the quality and accuracy of the information.

3.3.3. regularly review the records held to ensure that information is not held longer than necessary (student and employee records are kept indefinitely)

3.3.4. ensure appropriate security measures to safeguard personal information whether it is held in paper files or on our computer system and follow the relevant security requirements at all times.

3.3.5. share personal information with others only when it is necessary and legally appropriate to do so.

3.3.6. ensure that when information is authorized for disposal it is done appropriately.

3.3.7. set out clear procedures for responding to requests for access to personal information known as subject access requests (e.g., municipal board of education in Canada or China or other licensure entities). 

3.3.8 data breaches should be reported based on GDPR/PIPL guidelines as established in paragraph 17. 

5. USE OF PERSONAL DATA BY THE SCHOOL 

5.1. The school processes personal data on pupils, staff, and other individuals such as visitors. In each case, the personal data must be treated in accordance with the data protection principles as outlined in paragraph 3.1 above. 

Pupils and Parents 

5.2. The personal data held regarding pupils and parents is used in order to support the education of the pupils, to monitor and report on their progress, to provide appropriate pastoral care, and to assess how well the school as a whole is doing, together with any other uses normally associated with this provision in a school environment, including:

  • For the purposes of pupil selection and identity confirmation
  • To provide educational services (After school activities, service, clubs, field trips, etc.). 
  • Maintaining relationships with parents, pupils, and the wider school community. 
  • For the purposes of management planning and forecasting, research, and statistical analysis, including that imposed or provided for by law, market analysis and assessing pupil, parent, and alumni satisfaction. 
  • To enable relevant authorities to monitor the school’s performance and to intervene or assist with incidents as appropriate. 
  • To give and receive information and references about past, current and prospective pupils, including relating to outstanding fees or payment history, to/from any educational institution that the pupil attended or where it is proposed they attend; and to provide references to potential employers of past pupils. 
  • To enable pupils to take part in national or other assessments, and to publish the results of public examinations or other achievements of pupils of the school. 
  • To safeguard pupils’ welfare and provide appropriate pastoral care. 
  • To monitor (as appropriate) use of the school’s IT and communications systems in accordance with the Acceptable Use Policy.
  • To make use of photographic images of pupils in school publications, on the school website and (where appropriate) on the school’s social media channels in accordance with the school’s policy on taking, storing, and using images of children. 
  • For safety, security, and welfare purposes, including CCTV and the school fob operated access system, in accordance with the provincial guidelines and the school’s Child Protection policy. 
  • For maintenance of historic archive; and 
  • Where otherwise reasonably necessary for the school’s purposes, including to obtain appropriate professional advice and insurance for the school. 

Faculty and Staff 

5.3. The personal data of staff is used for the purposes of:

  • Staff recruitment and appointment, including statutory recruitment checks and confirming the identity of prospective staff. The data is used to comply with legal obligations placed on the school in relation to employment, and the education of children in a school environment. The school may pass information to other regulatory authorities where appropriate. 
  • Staff employment, including contract information (such as start date, hours worked, post, roles, and salary information), work absence information (such as number of absences and reasons), payroll information (including bank account details) and special category personal data (such as medical information and ethnic group). 
  • The school may use names and photographs of staff in publicity and promotional material. 
  • To give a confidential reference relating to a worker before or after resignation, for the purposes of their taking up employment elsewhere. 
  • For the purposes of management planning and forecasting, research, and statistical analysis, including that imposed or provided for by law such as diversity or gender pay gap analysis and taxation records, labour market analysis and staff satisfaction. 

5.4 Staff should note that information about disciplinary action or safeguarding matters may be kept for longer than the duration of the sanction. Although treated as “spent” once the period of the sanction has expired, the details of the incident may need to be kept for a longer period.

Keeping in Touch and Supporting the School

5.5. The data of parents, alumni and other members of the school community are used to keep our supporters updated about the activities of the school, or alumni and parent events of interest, including by sending updates and newsletters, by email and by post. Having obtained consent from the individual (where necessary) and unless the relevant individual objects, the school may also:

  • Share personal data, as appropriate, with organizations set up to help establish and maintain relationships with the school community, such as a Chamber of Commerce and charities, societies, and associations. 
  • Contact parents, alumni, former staff, former parents, governors, and well-wishers (including via the organizations above), by post, e-mail, SMS, telephone, social media in order to promote and raise funds for the school’s charitable purposes in accordance. 
  • Undertake due diligence to safeguard the reputation of the school in the case of significant financial transactions. 

5.6. Where identified the school will provide reasonable adjustments to communications with vulnerable individuals in accordance with their, or their caregiver’s  instruction. The school respects donors’ requests to remain anonymous and to not be listed in publications, on benefactors lists or in general communications 

Other Individuals 

5.7. The school may hold personal information in relation to other individuals who have contact with the school, such as volunteers and guests. Such information shall be held only in accordance with the data protection principles and shall not be kept longer than necessary.

6. TYPES OF PERSONAL DATA PROCESSED BY THE SCHOOL 

6.1. By way of example the types of personal data processed by the school include: 

  • names, addresses, date of birth, telephone numbers, e-mail addresses and other contact details. 
  • bank details and other financial information, e.g., about parents who pay fees to the school and staff payroll information. 
  • past, present, and prospective pupils’ academic, disciplinary, admissions and attendance records, including information about any special needs, and examination scripts and marks. 
  • logs of concerns, bullying and complaints
  • staff details including employment history, absence records, disciplinary and grievance records, performance review, training details, information relating to career progression, photographs, maternity and paternity and adoption leave.
  • where appropriate, information about individuals’ health, and contact details for their next of kin. 
  • references given or received by the school about pupils or staff, and information provided by previous educational or employment establishments and/or other professionals or organizations working with pupils or staff. 
  • images of pupils (and occasionally other individuals including pupils from other schools) engaging in school activities including for the purpose of analyzing education and/or sport performance. 
  • images captured by the school’s CCTV cameras.
  • other data held for the purposes of the school’s development and alumni relations.

Special Category Data 

6.2. In addition, the school may need to process special category personal data (concerning health, ethnicity, religion, biometrics, or sexual life) or criminal records information (such as when carrying out DBS checks) in accordance with rights or duties imposed on it by law, including as regards safeguarding and employment, or from time to time by explicit consent where required. 

7. HOW THE SCHOOL COLLECTS DATA 

7.1. The school receives personal data from the individual directly, including in the case of pupils, from their parents. 

7.2. For pupils this is via the data collection process prior to admission, or in the ordinary course of interaction or communication such as email, written assessments, or trip permission. 

7.3. Directly by email to an intended party.

7.4 For the School’s Advancement activity information is collected directly from the individual through various points including data collection during the admissions process, the Management Information System (MIS), leavers form, online registration, events, when making donations, alumni update forms, verbally via telephone or personal meetings, from contact within the community, general correspondence and social media closed groups such as LinkedIn or Facebook. Information may also be collected from publicly available sources in order to maximize the school’s communication or fundraising efforts. 

7.5. For other activities, including those for the wider community, personal data is received directly from the individuals via a data collection or registration process. 

7.6. In some cases, personal data may be supplied by third parties, for example another school, or other professionals or authorities working with that individual.

8. THE LAWFUL BASIS ON WHICH THE SCHOOL USES INFORMATION 

8.1. The school’s primary condition for use of personal data is made in accordance with the school’s legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impact on individuals.

8.2. In addition, the school’s processing is lawful because: 

  • The processing is necessary for the performance of an employment contract. 
  • The processing is necessary for the performance of a legal obligation to which the school is subject, for example our legal duty to safeguard pupils. 
  • The processing is necessary to protect the vital interests of others, i.e., to protect pupils from harm. 
  • The processing is necessary for the performance of the school’s education function.

8.3. The school will not usually need consent to use information apart from as detailed in the enrollment and reenrollment package. However, if at any time the school will use personal data in a way which means consent is required this will be requested. If an individual gives their consent, they may change their mind at any time. 

8.4. When the School collects personal information, it will be made clear whether there is a legal requirement to provide it, and whether there is a legal requirement on the school to collect it. If there is no legal requirement, then the school will explain why it is needed and what the consequences are if it is not provided. 

8.5. If at any time the school wishes to use personal data in a way that requires an individual’s consent, this will be explained to any individuals concerned and positive opt in consent will be requested. Individuals always have the right to withdraw consent, where given, or otherwise object to direct marketing. However, the School may need nonetheless to retain some details, not least to ensure that no more communications are sent to that particular address, email, or telephone number.

9. SECURITY OF PERSONAL DATA 

9.1. The school will take reasonable steps to ensure that members of staff will only have access to personal data where it is necessary for them to carry out their duties. All staff will be made aware of this Policy and their duties under the GDPR/PIPL. The school will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorized persons. 

9.2. For further details as regards the security of IT systems, please refer to the Acceptable Use Policy.

10. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES 

10.1 For the most part, personal data collected by the school will remain within the school and will be processed by appropriate individuals only in accordance with access protocols and on a ‘need to know’ basis. Particularly strict rules of access apply in the context of: 

  • medical records, held and accessed by the Medical Centre/Staff and any teaching and pastoral or resident staff that need to be aware in order to provide necessary care for the pupil. 
  • pastoral and safeguarding files held by the Child Protection Team or Counselors.

10.2. Occasionally, the school will need to share personal information relating to our community with third parties. The following list includes the most usual reasons that the school will authorize disclosure of personal data to a third party: 

10.2.1 To give a confidential reference relating to a current or former employee, volunteer, or pupil.

10.2.2. For the prevention or detection of a crime. 

10.2.3. For the assessment of any tax. 

10.2.4. Where it is necessary to exercise a right or obligation conferred or imposed by law upon the school. 

10.2.5 For the purpose of, or in connection with, legal proceedings.

10.2.6. For the purpose of, obtaining legal advice. 

10.2.7. For research, historical and statistical purposes

10.2.8. To publish the results of an examination or other achievements of pupils of the school. 

10.2.9. To disclose details of a pupil’s medical condition where it is in the pupil’s interest to do so and there is a legal basis for doing so. 

10.2.10. To provide information to another educational establishment to which a pupil is transferring, including to notify it of any outstanding fees. 

10.2.11. To provide information for external examination or competition for registration purposes (New Brunswick provincial assessment, MAP Assessment, Waterloo Math Competition, MUN, etc.). 

10.2.12. To provide information to relevant government departments concerned with enrollment and licensure. 

10.3. A certain amount of any SEN pupil’s relevant information is provided to staff more widely in the context of providing the necessary care and education that the pupil requires.

10.4. Staff, pupils, and parents are reminded that the school is under duties imposed by law and statutory guidance to record or report incidents and concerns that arise or are reported to it, in some cases regardless of whether they are proven, if they meet a certain threshold of seriousness in their nature or regularity. This may include file notes on personnel or safeguarding files, and in some cases referrals to relevant authorities (such as the local authority) or police. For further information about this, please view the School’s Child Protection Policy.10.5. Some of the School’s processing activity is carried out on its behalf by third parties, such as IT software systems, web developers, cloud storage providers, learning management system providers, student information management systems providers and, mailing services. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the school’s specific directions, with data sharing agreements in place where appropriate. 

Software as a service (SAAS) providers may include, but are not limited to:

  • Managebac
  • Schools buddy
  • Open Apply
  • Microsoft 365 (all applications)
  • Infinity Data Management platform
  • Seesaw
  • Nessy
  • Measure of Academic Progress (MAP) Assessment Platform
  • InThink
  • Cognity
  • Pamoja
  • Raz Kids
  • Class Creator
  • CanGlory (English, LMS, UniPath)
  • NovaLearn
  • LinguaSkills
  • SAT provided by ETS
  • Cambridge Suite
  • Destiny
  • Follett Resource Management

10.6. For pupils introduced to the school by an international agent, the school has signed agent agreements in place

10.7. The school uses information about pupils for statistical purposes, to evaluate and develop education policy and to monitor the performance of the foundations (AKD) education service as a whole. The statistics are used in such a way that individual pupils cannot be identified from them. On occasion the foundation may share the personal data with other Government Departments or agencies strictly for statistical or research purposes. 

10.8. The school may receive requests from third parties (i.e., those other than the data subject, the school, and employees of the school) to disclose personal data it holds about pupils, their parents or guardians, staff, or other individuals. This information will not generally be disclosed unless one of the specific exemptions under data protection legislation which allow disclosure applies; or where necessary for the legitimate interests of the school or the third party to which the information will be disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. 

10.9. All requests for the disclosure of personal data must be sent to the Head of School and Director of Operations, who will review and decide whether to make the disclosure, ensuring that reasonable steps are taken to verify the identity of that third party before making any disclosure.

11. HOW LONG THE SCHOOL WILL KEEP PERSONAL DATA

11.1 The school retains personal data securely and in line with how long it is necessary to keep for a legitimate and lawful reason. Typically, the GDPR/PIPL recommendation for how long to keep ordinary staff and pupil personnel files is between 10 to 15 years after employment or graduation, but this is subject to type and purpose. 

12. CONFIDENTIALITY OF PUPIL CONCERNS

12.1 Where a person seeks to raise a concern confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents or guardian, the school will maintain confidentiality unless it has reasonable grounds to believe that the pupil does not fully understand the consequences of withholding their consent, or where the school believes disclosure will be in the best interest of the pupil or other pupils as per the Child Protection Policy. 

13. SUBJECT ACCESS REQUESTS

13.1. Anybody who makes a request to see any personal information held about them by the school is making a subject access request. All information relating to the individual, including that held in electronic or manual files should be considered for disclosure.

13.2 The individual’s full subject access right is to know:

  • Whether personal data about him or her are being processed
  • The purpose of the processing
  • The categories of personal data concerned
  • The recipients or categories of recipients to whom their personal data have been or will be disclosed
  • The envisaged period for which the data will be stored or where that is not possible, the criteria used to determine how long the data are stored
  • The existence of a right to request erasure of personal data or restriction of processing or to object to the processing 
  • The right to lodge a complaint
  • Where the personal data are not collected from the individual, any available information to their sources
  • Details of the safeguards in place for any transfer of the data to other locations. 

13.3. All requests should be sent to the Head of School or Director of Operations and must be dealt with in full without delay and at the latest within one month of receipt. The school may extend the time to respond by a further two months if the request is: 

  • complex; or 
  • the school has received several requests from the individual 

13.4. Where a child or young person does not have sufficient understanding to make his or her own request (usually those under the age of 12, or over 12 but with a special educational need which makes understanding their information rights more difficult), a person with parental responsibility can make a request on their behalf. 

The Head of School and Director of Operations, however,  are satisfied that: 

13.4.1. the child or young person lacks sufficient understanding; and 

13.4.2. the request made on behalf of the child or young person is in their interests.

13.5. Any individual, including a child or young person with ownership of their own information rights, may appoint another person to request access to their records. In such circumstances the school must have written evidence that the individual has authorized the person to make the application and the Head of School must be confident of the identity of the individual making the request and of the authorization of the individual to whom the request relates. 

13.6. Access to records will be refused in instances where an exemption applies, for example, information sharing may place the individual at risk of significant harm or jeopardize police investigations into any alleged offence(s). 

13.7. A subject access request must be made in writing. The school may ask for any further information reasonably required to locate the information.

13.8. An individual only has the automatic right to access information about themselves, and care needs to be taken not to disclose the personal data of third parties where consent has not been given, or where seeking consent would not be reasonable, and it would not be appropriate to release the information. Particular care must be taken in the case of any complaint or dispute to ensure confidentiality is protected.

13.9. Where all the data in a document cannot be disclosed a permanent copy should be made and the data obscured or retyped if this is more sensible. A copy of the full document and the altered document should be retained, with the reason why the document was altered.

14. RIGHT TO OBJECT TO PROCESSING

14.1. An individual has the right to object to the processing of their personal data on the grounds of pursuit of a public interest or legitimate interest (grounds 4.5 and 4.6 above) where they do not believe that those grounds are adequately established. 14.2. Where such an objection is made, it must be sent to the Head of School within 2 working days of receipt, and they will assess whether there are compelling legitimate grounds to continue processing which override the interests, rights, and freedoms of the individuals, or whether the information is required for the establishment, exercise, or defense of legal proceedings. 

14.2. The Head of School shall be responsible for notifying the individual of the outcome of their assessment within 21 term time days of receipt of the objection.

15. RIGHT TO ERASURE

15.1. Individuals have a right, in certain circumstances, to have data permanently erased without undue delay. This right arises in the following circumstances: 

15.1.1. where the personal data is no longer necessary for the purpose or purposes for which it was collected and processed. 

15.1.2. where consent is withdrawn and there is no other legal basis for the processing. 

15.1.3. where an objection has been raised under the right to object and found to be legitimate.

15.1.4. where personal data is being unlawfully processed (usually where one of the conditions for processing cannot be met). 

15.1.5. where there is a legal obligation on the school to delete.

15.2. The Head of School will decide regarding any application for erasure of personal data and will balance the request against the exemptions provided for in the law. Where a decision is made to erase the data, and this data has been passed to other data controllers, and/or has been made public, reasonable attempts to inform those controllers of the request shall be made. 

16. RIGHT TI RESTRICT PROCESSING

16.1. In the following circumstances, processing of an individual’s personal data may be restricted: 

16.1.2. where the accuracy of data has been contested, during the period when the school is attempting to verify the accuracy of the data. 

16.1.3. where processing has been found to be unlawful, and the individual has asked that there be a restriction on processing rather than erasure. 

16.1.4. where data would normally be deleted, but the individual has requested that their information be kept for the purpose of the establishment, exercise, or defense of a legal claim.

17. BREACH OF ANY REQUIREMENT OF THE GDPR 

17.1 Any and all breaches of the GDPR/PIPL, including a breach of any of the data protection principles, shall be reported as soon as it is/they are discovered, to the Head of School Head or Director of Operations 

17.2 Once notified, the relevant party shall assess: 

17.2.1 the extent of the breach. 

17.2.2 the risks to the data subject(s) as a consequence of the breach. 

17.2.3 any security measures in place that will protect the information. 

17.2.4 any measures that can be taken immediately to mitigate the risk to the individual(s). 

17.3 Unless the relevant party is unable to see any risk to individuals from the breach, the individual or legal guardian of a pupil must be notified of the breach having come to the attention of the school. 

18. CONTACT

18.1 Any comments or queries on this policy should be directed to the Head of School or Director of Operations. 

18.2 If an individual believes that the school has not complied with this policy or acted otherwise than in accordance with GDPR/PIPL, they should utilize the school’s communication process and procedures outlined in the relevant party handbooks. 

Advertisement