Alef Trust Data Protection Policy
DATA PROTECTION STATEMENT
Alef Trust takes your privacy seriously and we will only use your personal information to maintain communications, to complete the process of course or programme registration and to maintain your enrolment as a student. Alef Trust deals with all personal information provided in a responsible manner that respects personal privacy and is in full compliance with the Data Protection Act 2018 (DPA) which applies the standards of the EU’s new General Data Protection Regulation (GDPR). Although the DPA/GDPR are UK and EU regulations, Alef Trust applies the same high standards for the protection of your privacy and personal information, regardless of where you are located. Additional information on the Alef Trust Privacy, Data Protection and other Policies can be found by visiting our Privacy & Data Protection Page. If you have any questions about how Alef Trust collects or uses your personal information, please use the form below to contact our Data Protection Officer.
- General Statement of Alef Trust’s Duties and Scope
- Accessibility of this document
- Data Protection Controller and Data Protection Officer
- The Principles
- Personal Data
- Data Security
- Rights of the Data Subject
- Processing of Personal Data
- Sensitive Personal Data
- Rights of Access to Information (Subject Access Request or ‘SAR’)
- External Processors and Controllers
- Secure Destruction
- Retention of Data
- Contacts and Representatives
DATA PROTECTION POLICY
1. General Statement of Alef Trust’s Duties and Scope
Alef Trust is required to process relevant personal data regarding members of staff, applicants, volunteers, students, alumni and shall take all reasonable steps to do so in accordance with this policy. Alef Trust does not buy or sell personal data.
- “Students” is all persons studying at Alef Trust.
- “All Staff” is all staff or employees of Alef Trust, including those on temporary or part time contracts and volunteers.
- “Data Subject”, is a living natural individual who is the subject of the personal data.
3. Accessibility of this document.
This policy is written using clear and plain language and is considered as age appropriate (Age 13 and above) for the accessibility of all data subjects of Alef Trust.
4. Data Protection Controller and Data Protection Officer
Alef Trust has appointed our Administrator as Data Protection Officer (DPO) who will endeavour to ensure that all personal data is processed in compliance with this Policy and the Principles of current Data Protection Legislation, currently the Data Protection Act 1998 and (EU) General Data Protection Regulation (GDPR). The Protection of Freedoms Act 2012 is also relevant to parts of this policy.
5. The Principles
Alef Trust shall comply with the Data Protection principles contained in the legislation to ensure all data is:
- Fairly and lawfully processed in a transparent manner.
- Processed for a legitimate purpose.
- Adequate, relevant and not excessive.
- Accurate and up to date.
- Not kept for longer than necessary.
- Processed in accordance with the data subject’s rights.
- Processed securely.
6. Personal Data
Personal data covers both facts and opinions about an individual where that data identifies an individual. For example, it includes information necessary for employment such as the member of staff’s name and address and details for payment of salary or a students’ attendance record and exam results. Personal data may also include sensitive personal data as defined in the legislation.
7. Data Security
Alef Trust will take appropriate technical and organisational steps to ensure the security of personal data.
All staff will be made aware of this policy and their duties under the legislation.
Alef Trust and therefore all staff and students are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data and against the accidental loss of, or damage to all personal data. Violations of this policy by staff may be treated as misconduct or gross misconduct.
An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems and should be encrypted when transported or saved on personal computers or portable devices such as cell phones or tablets.
8. Rights of the Data Subject
GDPR expands the rights of the data subject over previous legislation, specifically data subjects have:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
This policy and the published Privacy Statement are part of these rights. If you wish to exercise any of these rights, with the exception of the right to access, please contact the Alef Trust Data Protection Officer using the form at the bottom of this page. Information on the right of access and how to exercise that are specifically detailed in this policy.
Not all rights are applicable to all personal data, and may depend on the lawful basis that personal data is being processed under.
9. Processing of Personal Data
Alef Trust maintains a Privacy Statement which details personal information processed and the legal basis for processing that data. The current version can be viewed at https://www.aleftrust.org/about/privacy-data-protection/privacy-statement/.
Alef Trust processes some personal data for purposes considered direct marketing through our mailings list. Data subjects have the right to withdraw consent to these activities.
10. Sensitive Personal Data
Alef Trust may, from time to time, be required to process sensitive personal data. Sensitive personal data that Alef Trust may handle includes data relating to medical information, gender, religion, race and sexual orientation.
11. Rights of Access to Information (Subject Access Request or ‘SAR’)
Data subjects have the right of access to their Personal data held by Alef Trust, subject to the provisions of current Data Protection legislation. Any data subject wishing to access their personal data should put their request in writing or through email to the Alef Trust DPO. Alef Trust will endeavour to respond to any such written or emailed requests as soon as is reasonably practicable and, in any event, within one month for access to personal data and 21 days to provide a reply to a Subject Access Request. The information will be made available to the data subject as soon as is reasonably possible after it has come to Alef Trust’s attention and in compliance with the relevant legislation. Proof of identity is required before any information will be made available.
Only the DPO may accept or respond to a Subject Access Request. Any other staff receiving such a request MUST immediately pass it to the DPO for processing or refer the person making the request to the DPO. Subject Access Requests can be made through the following form at https://www.aleftrust.org/about/privacy-data-protection/request-update-or-delete-your-personal-information/
Certain personal data or obligations are exempted from some of the provisions of the Data Protection legislation which includes matters such as processing for National Security and Public Security, the prevention or detection and prosecution of criminal offences. The above are examples only of some of the exemptions under the legislation. Any further information on exemptions should be sought from the DPO.
Alef Trust will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify Alef Trust of any changes to information held about them.
If an individual believes that Alef Trust has not complied with this policy or acted otherwise than in accordance with data protection legislation, the data subject or staff member should notify the DPO.
15. External Processors and Controllers
Alef Trust must ensure that data processed by external processors, for example, service providers and Cloud services including storage, web sites and Learning Management Systems are compliant with this policy and the relevant legislation. All external processors and controllers must be listed in the data processing register maintained by the DPO.
16. Secure Destruction
When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.
17. Retention of Data
Subject to any other notices that we may provide to you, Alef Trust may retain your personal data for a period of six years after your association with us has come to an end. However, some information may be retained indefinitely by us in order to maintain your academic record for archiving purposes.