Data Protection and Security Policy
At Virtual Work Experience we are committed to protecting and respecting your privacy.
This Policy explains when and why we collect personal information about people who visit our website, how we use it, the conditions under which we may disclose it to others and how we keep it secure.
We may change this Policy from time to time so please check this page occasionally to ensure that you’re happy with any changes. By using our website, you are agreeing to be bound by this Policy.
Any questions regarding this Policy and our privacy practices should be sent by email to email@example.com or by writing to Virtual Work Experience, 9 Walnut Close, Cannock Staffordshire WS11 6NE. Alternatively, you can telephone 01543 889 552.
We respect your right to privacy. This Data Protection and Security Policy sets out details of the information that we may collect from you and how we may use that information.
In this Data Protection and Security Policy, references to ‘we’ or ‘us’ are to Virtual Work Experience a company incorporated (registered number 12779817) whose registered office is at 9 Walnut Close, Cannock WS11 6NE, who will be the controller of any personal data processed as described in this Data Protection and Security Policy.
This policy meets the requirements of the GDPR and the expected provisions of the Data Protection Act 2018. It is based on guidance published by the Information Commissioner’s Office (ICO) on the GDPR. We will put measures in place to show that we have integrated data protection into all of our data processing activities and demonstrate an approach of data protection by design and default.
This policy applies to all personal data, regardless of whether it is in paper or electronic format.
Any information relating to an identified, or identifiable, individual.
This may include the individual’s:
It may also include factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
|Sensitive personal data||
Personal data which is more sensitive and so needs more protection, including information about an individual’s:
|Processing||Anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying can be automated or manual.|
|Data subject||The identified or identifiable individual whose personal data is held or processed.|
|Data controller||A person or organisation that determines the purposes and the means of processing of personal data.|
|Data processor||A person or other body, other than an employee of the data controller, who processes personal data on behalf of the data controller.|
|Personal data breach||A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.|
Data Protection principles
The GDPR is based on data protection principles which state that personal data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary to fulfil the purposes for which it is processed
- Accurate and, where necessary, kept up to date
- Kept for no longer than is necessary for the purposes for which it is processed
- Processed in a way that ensures it is appropriately secure
All information we collect is treated in line with these principles.
What information do we collect?
Virtual Work Experience Ltd holds data on staff, pupils, service users and other individuals who come into contact with the organisation in order to deliver its programmes and services. Virtual Work Experience Ltd is therefore a data controller.
If you are a young person who benefits from our programmes, we will only collect your first name and surname to issue a password for you to access our platform.
We will not collect any personal data from anyone that we do not need.
How do we use your information?
Virtual Work Experience Ltd is a data controller as a provider of a virtual work experience programme. This means that we have numerous reasons for processing data.
We rely on the following legal basis for processing. These examples are not limited; there may be other areas where we use this basis for other functions.
We rely on ‘legitimate interest’ to process data associated with the creation of a password to access our platform.
How is this information shared?
All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting some of this information is located on international servers. Servers based outside of the EU are obliged to comply with GDPR regarding data that concerns EU citizens.
Microsoft Forms are a third party who have access to your personal data.
No other third party has access to any personal data unless the law allows them to do so. This may be in the cases as outlined below:
- If there is an issue with a pupil or parent/carer that puts the safety of our staff at risk
- If we need to liaise with other agencies – we will seek consent as necessary before doing this
- If our suppliers or contractors need data to enable us to provide services to our staff and pupils. When doing this, we will:
- Only appoint suppliers or contractors which can provide sufficient guarantees that they comply with data protection law
- Establish a data sharing agreement with the supplier or contractor, either in the contract or as a standalone agreement, to ensure the fair and lawful processing of any personal data we share
- Only share data that the supplier or contractor needs to carry out their service, and information necessary to keep them safe while working with us
We will also share personal data with law enforcement and government bodies where we are legally required to do so, including for:
- The prevention or detection of crime and/or fraud
- The apprehension or prosecution of offenders
- In connection with legal proceedings
- Where the disclosure is required to satisfy our safeguarding obligations
- Research and statistical purposes, as long as personal data is sufficiently anonymised or consent has been provided
We will tell you what purposes we will use information for when we collect it and if information will be shared tell you why, with whom and under what circumstances.
We share personal information with others only when it is necessary and legally appropriate to do so. We have clear procedures for responding to requests for access to personal information.
Who is responsible for this policy?
Virtual Work Experience Ltd Data Protection Officer (DPO) is responsible for overseeing the implementation of this policy, monitoring our compliance with data protection law, and developing related policies and guidelines where applicable.
The policy applies to all staff employed by Virtual Work Experience Ltd, and to external organisations or individuals working on our behalf.
Staff are responsible for:
- Collecting, storing and processing any personal data in accordance with this policy
- Informing Virtual Work Experience Ltd of any changes to their personal data, such as a change of name or email address
- Contacting the Data Protection Officer (DPO) in the following circumstances:
- With any questions about the operation of this policy, data protection law, retaining personal data or keeping personal data secure
- If they have any concerns that this policy is not being followed
- If they are unsure whether or not they have a lawful basis to use personal data in a particular way
- If they need to rely on or capture consent, draft a privacy notice, deal with data protection rights invoked by an individual, or transfer personal data outside the European Economic Area
- If there has been a data breach
- Whenever they are engaging in a new activity that may affect the privacy rights of individuals
- If they need help with any contracts or sharing personal data with third parties
All staff are provided with data protection training as part of their induction process.
Data protection will also form part of continuing professional development, where changes to legislation, guidance or Virtual Work Experience Ltd processes make it necessary.
How long do we keep information for?
We are committed to appropriate data retention and will ensure that information is not held longer than is necessary, and that when information is authorised for disposal it is done appropriately.
If we want to use personal data for reasons other than those given when we first obtained it, we will inform the individuals concerned before we do so and seek consent where necessary.
How can you manage or delete information about you?
You have the right to make a ‘subject access request’. This may be to: confirm that we are processing your data; access a copy of your data; enquire why your data is being processed; enquire who the data has been, or will be, shared with; enquire how long the data will be stored for; or withdraw your consent, amongst other queries.
To submit a subject access request, write to the Data Protection Officer (DPO) using the details in section 21. Requests should include your name, contact details and details of your request. If staff receive a subject access request, they should immediately forward it to the DPO.
Personal data about a child belongs to that child, and not the child’s parents or carers. For a parent or carer to make a subject access request with respect to their child, the child must either be unable to understand their rights and the implications of a subject access request or have given their consent.
How do we process recruitment and employment information?
All of the information you provide during the application process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details you provide to us to contact you to progress your application. The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t.
How long is the information retained for?
- If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration and references.
- If you are unsuccessful for the position you have applied for we will retain information provided as part of your application for a period of 12 months. We may also retain your information in our talent pool to proactively contact you should any further suitable vacancies arise during this period.
What other rights do you have with regards to your data?
In addition to the right to make a subject access request you also have the right to:
- Withdraw your consent to processing at any time
- Ask us to rectify, erase or restrict processing of your personal data, or object to the processing of it (in certain circumstances)
- Challenge processing which has been justified on the basis of public interest
- Request a copy of agreements under which your personal data is transferred outside of the European Economic Area
- Prevent processing that is likely to cause damage or distress
- Be notified of a data breach in certain circumstances
- Make a complaint to the ICO
- Ask for your personal data to be transferred to a third party in a structured, commonly used and machine-readable format (in certain circumstances)
As part of our activities, we may take photographs and record images of individuals whilst using the platform.
We will obtain written consent from parents/carers, or pupils aged 18 and over, for photographs to be taken of their child for communication, marketing and promotional materials. We will clearly explain how the photograph will be used to both the parent/carer and pupil.
Where we need consent, we will clearly explain how the photograph will be used to both the parent/carer/pupil and pupil. Where we don’t need parental consent, we will clearly explain to the pupil how the photograph will be used.
Consent can be refused or withdrawn at any time. If consent is withdrawn, we will delete the photograph and not distribute it further.
What are our security responsibilities?
- ensure that access to confidential data is confined to those with justified authority to view it, with appropriate levels of access granted to users;
- ensure that all system assets are operated according to specification;
- ensure that information is only delivered to those who need it within the organisation, when appropriate, and is limited to these people;
- ensure that databases have nominated users responsible for ensuring that the database is used in accordance with this policy;
- encourage our partners to follow the principles outlined in this policy, and our IT support contractor will report incidents where necessary. Contractors will assist in monitoring the effectiveness of IT security within the organisation and initiating any requested changes to security procedures which become necessary as a result of the monitoring process.
How do we manage secure access to our systems?
Virtual Work Experience Ltd employees will have access to machines only via usernames and passwords. The IT support management and IT Support contractor only have access to usernames and passwords. The Director will be responsible for resetting passwords and removing old data and information in the eventuality that equipment transfers between staff.
The Directors will ensure that usernames are locked in a timely manner when staff leave the organisation. The Directors will keep a record of user access rights for all staff across the organisation.
How do we protect our hardware?
An asset register of computer equipment is maintained. No equipment should be removed from site without the approval of the Directors – except for portable computers / devices that are the responsibility of each named individual user. Hardware should not be left unattended, unless securely stored in lockable cabinets when not in use.
Hardware in particularly vulnerable areas or containing sensitive data should make use of physical security measures such as locking office doors or installing locking devices to secure hardware to desk. Redundant hardware (including PCs, laptops and portable devices) will be disposed of in accordance with the appropriate policies
Care should be exercised when eating or drinking near IT equipment. The location of all hardware (computers, printers, modems etc.) should comply with Health and Safety standards including the stability of the desk surface, and elimination of trailing cables.
All personal computers and printers should be switched off when not in use for extended periods, such as overnight or during weekends. Air vents on computers should not be obstructed.
How do we control our software?
All software must be purchased through the central purchasing system and no software should be installed without prior permission. The download of files is not permitted unless agreed by the director.
We ensure protection from viruses by following the Computer Misuse Act 1990 which states that the deliberate introduction of malicious software to a system is a criminal offence. No files should be loaded on to any system from an external portable device unless they have first been virus checked by staff. Anti-virus software is installed on PCs and where a virus is detected this will be reported immediately to the IT support provider.
How do we keep our environment secure?
We ensure that security is carefully considered when locating PCs, using laptops on site and storing documents and paperwork. We ensure that all key holders responsible for lockable cabinets and doors will make the appropriate information security checks when opening / closing the office including closing down machines, ensuring cabinets are locked and areas containing sensitive information are secure. Appropriate signing in and signing out processes will be in place.
How will we review this policy?
This policy will be reviewed and updated if necessary when the Data Protection Bill receives royal assent and becomes law (as the Data Protection Act 2018) – if any changes are made to the bill that affect Virtual Work Experience Ltd practice. Otherwise, or from then on, this policy will be reviewed annually.
Virtual Work Experience Ltd will notify you of changes to the Data Protection and Security Policy.
How can you contact Virtual Work Experience Ltd?
For further information on how your data is used, or if you have any questions, comments or complaints about this policy, please contact:
Joanne Shalloe: 01543 889 552
Or write to us: Virtual Work Experience Ltd, 9 Walnut Close, Cannock, Staffs WS11 6NE