top of page

Data-Protection-Policy

The Education Auditorium

 

Data Protection Policy


Version: 1.4

Date: 1 Aug 2024

Next review date: March 2025


Introduction and purpose

The Education Auditorium Ltd (or in the short version: “The Education Auditorium”) is committed to data protection and supports the data protection rights of all those with whom it works, including, but not limited to staff and students. Our Data Protection Policy sets out the accountability and responsibilities of The Education Auditorium, its staff and its students to comply fully with the provisions of the General Data Protection Regulations (GDPR) and the Data Protection Act 2018.

·         The Education Auditorium Ltd is the data controller for the personal data it processes and is registered with the Information Commissioner’s Office (ICO) under registration number ZB595836.

·         The purpose of this policy is to explain how The Education Auditorium handles personal data under the data protection legislation (GDPR  2016 and the UK Data Protection Act).

·         The policy forms the framework for which everybody at The Education Auditorium processing personal data should follow to ensure compliance with the data protections legislation.

·         The Education Auditorium has appointed a Data Protection Officer (DPO) to monitor and advise on compliance with the GDPR and the Data Protection Act 2018. Information can be obtained from the DPO who can be contacted via info@education-auditorium.co.uk


Responsibilities under the policy

The Education Auditorium is the data controller and has the responsibility to implement and comply with data protection legislation. In determining the purposes for which, and the manner in which, personal data is processed, The Education Auditorium must adhere to the Data Protection Principles as set out in the legislation. Details of the principles and main requirements for compliance can be found in the Data Protection Policy.


Data Security

All users of personal data at The Education Auditorium must ensure that personal data is always held securely and not disclosed to any unauthorised third party either accidentally, negligently, or intentionally.

 

Privacy Notices

The Education Auditorium provides data subjects with a “Privacy Notice” to let them know how and for what purpose their personal data is processed.

 

Responsibilities of Data users

The teachers, administrative and technical teams at The Education Auditorium have the responsibility to ensure compliance with the Data Protection Policy, and to develop and encourage good information handling practices within their areas of responsibility. All data users of personal data within The Education Auditorium have a responsibility to ensure that they process the data in accordance with the terms set down in this document.  

 

 

Subject Access Requests

If a data Subject wishes to see copies of the information held on them by The Education Auditorium, the request should be submitted in writing by letter or email to the DPO at info@education-auditorium.co.uk. Responses normally is made within 10 days. 

 

Procedures for Responding to Data Breaches

If any member of staff at The Education Auditorium becomes aware of a data breach situation, they must ensure this is reported to the DPO as soon as possible. The Education Auditorium is obliged to keep a record of all breaches and investigate them to an appropriate level, in order to ascertain what can be learnt from the circumstances surrounding each, and then used to review procedures as required with the aim of preventing a similar breach occurring again. Some breaches of a more serious nature will need to be reported to the ICO.

 

Type of data Needed to be Provided to The Education Auditorium

In the below, the ‘school admin’ phrase refers to the admin assigned by the school to manage their account at our eLearning platform. The school’s admin is the only party from the school who is able to register/deregister teachers and students to our platform, add/remove classes, and add/change passwords for teachers and students accounts.

The only exception to the above is that if the school’s admin asks The Education Auditorium’s team in writing to upload the list of classes and students to their platform’s account in their behalf. In such case, the list should be provided to us through a passworded CVS template or any other secured means. The students list would be limited to the first and last names of students and teachers, the classes names to which the students and teachers are assigned to, the subject/course’s names to which each class is linked to in order to assign the corresponding students and teachers to it.

The list below includes the needed data to be provided by the school’s admin to our eLearning platform through a direct CVS file upload in order to enable the platform to execute and deliver to the school’s students nd teachers the expected tasks and reports that they signed up for.

The information held by our eLearning platform are as follows:   

·         First and last names of the subscribed students, teachers and the school’s admin,.

·         The classes and subjects/courses names and the students assigned to it   

·         The temporary password for the school’s admin which our platform auto-generates upon creating the subscription and assigning a school admin to it. The school/college’s admin is prompted to change the temporary password right after the first time they sign in with the temporary password. Once the temporary password is changed, no one at The Education Auditorium will be able to see the password since it’ll be automatically encrypted. Once the temporary password is changed by the school’s admin, he or she can start adding/removing teachers and students to the school/college’s account and generate/change teachers and students passwords.

The platform doesn’t provide the ability for students or teachers to add their emails or phone numbers to their account since there have been no fields/records made available for such purpose. The only emails our eLearning platform requires are the school’s admin and the general school’s email.

 

Right to erasure In certain circumstance data subjects have the right to have their data erased. This only applies:

  • Where the data is no longer required  

  • Where the data subject withdraws consent or

  • Where the data is being processed unlawfully


Where The Education Auditorium Stores the School’s Data?

All data uploaded by the respective schools admins to our eLearning platform are stored securely on Amazon Web Services (AWS) cloud server. AWS servers are designed to meet the highest international standard of cyber security. Based on Amazon Web Service (AWS), “AWS is architected to be the most secure global cloud infrastructure on which to build, migrate, and manage applications and workloads.”


Direct Communications With the School’s Teachers and Students

That is not permitted or facilitated by our eLearning platform. The only contact point for The Education Auditorium is strictly the school’s admin. Moreover, our platform has been designed with no facility option to enable communications with any party outside the school’s account. Communications through our eLearning platform is strictly limited between student-to-teacher and student-to-school’s admin. There’s no communication facility available at our platform that enables student-to-student or student-to-The Education Auditorium’s team or student-to-a third party.


Fairness and transparency

The Education Auditorium shall be fair, open, and transparent in the way it handles personal data, and will publish privacy notices which explain:

  • What personal data that The Education Auditorium processes and why

  • How long we keep the data for

  • How to contact our DPO


Data Protection Breaches

The Education Auditorium is responsible for ensuring appropriate security for the personal data that it holds. This includes protecting the data against unauthorised processing and against accidental loss. The Education Auditorium makes every effort to avoid data protection incidents, however, it is possible that mistakes will occur on occasions. Examples, of personal data incidents might occur through, but not limited to:

  • Loss or theft of data or equipment on which data is stored

  • Equipment failure

  • Human error

  • Unforeseen circumstances such as a fire or flood

  • Hacking attack

Any data protection incident must be brought to the attention of The Education Auditorium’s DPO who will investigate and decide if the incident constitutes a data protection breach and if it does, it must be reported to the affected individuals or client.


The Duration the School’s Data are Kept With the Education Auditorium

The school’s data is kept with the account except the school’s admin requests to delete all or specific set of data that belong to them. In the event of cancelling the subscription by the school or by The Education Auditorium, it’d take up to 90 days to delete all the data that our eLearning platform holds for them. This period can be shortened to become immediate if the school asked us to do that for them.


Passwords and protection of hardware  

Passwords for accessing systems by The Education Auditorium must be complex enough to make it extremely difficult for third parties to break them: passwords should be at least 8 characters long, have a mixture of upper case and lower case letters, at least one number and one character. Passwords should be changed regularly, and never shared with any other member of staff or shared amongst other users.

Mobile devices (such as laptops) must be protected to the same high standard including security PIN. The Education Auditorium and its employees using the devices are responsible for any information accessed or disclosed on these devices. The Education Auditorium’s employees using the device must keep their password safe and secure, and do not share it with anyone else.

 

Accessing and sharing information

Procedure of Sharing Data Inside The Education Auditorium That Employees Must Follow:

When sharing information with others within The Education Auditorium, if information is of a confidential, sensitive, or personal nature, it must be treated as such. Information should only be shared with the individuals who require it, do not copy other individuals into emails if they do not require access to the information contained within. Delete sensitive, confidential, or personal information once it has been used for the purpose it has been collected and is no longer required.

 

Sharing Data Outside The Education Auditorium That Employees Must Follow Which is Prohibited Unless an Explicit in Writing Approval is Obtained from the related school, college or client are carried out as following:

·         Never send personal data within a normal email. If email is the only method of transmission available, ensure the information is included in a password protected document. The password must be agreed with the email recipient in advance, and via telephone, not in another email. Never include the password in the email to which the password protected document is attached, nor send the password via another email (if the first email is intercepted, then the second could also be).

·         Ensure that only the required data is provided. Always check why people require the data they ask for.

 

Storage of Data on Portable Devices

·         The loss of any device that belongs to The Education Auditorium that can send, store or retrieve data must be reported to The Education Auditorium DPO immediately.

·         Devices that can transmit and receiving data information, must be protected by a strong secure password.

·         Any of The Education Auditorium employees who uses portable devices to access or store data is responsible for the information which is transported within. This includes memory sticks, laptops, external hard disk drives, mobile phones, tablets.

·         All portable devices that you use for the transport or storage of personal or sensitive nature must be encrypted, and care must be taken to safeguard the equipment against loss or damage.

 

Roles and responsibilities

  • The Administrator

The Administrator has day-to-day responsibility for ensuring this policy is adopted and adhered to by employees and other individuals processing personal data on The Education Auditorium’s behalf.

 

 

  • Data Protection Officer

DPO is responsible for:

·         Informing and advising The Education Auditorium of their obligations under the data protection legislation

·         Monitoring compliance with data protection policies

·         Raising awareness and delivering training to employees

·         Carrying out audits on The Education Auditorium’s processing activities

·         Acting as the contact point for data subjects exercising their rights

The Education Auditorium’s Data Protection Link Officer who can be contacted at info@education-auditorium.co.uk on 02032906666.

 

The end of the document.

bottom of page