-
- Anti-Bullying (including Cyberbullying) Policy
- Data Protection Policy
- Safer Recruitment Policy
- Safeguarding and Child Protection Policy
- Whistleblowing Policy
- Low-Level Concerns Policy
- Anti-Radicalisation-Prevent Duty Policy
- Missing Student Policy
- Online Safety Policy
- Behaviour Code of Conduct for Students in Homestay
- Complaints Policy
- Designated Safeguarding Lead (DSL) Policy
- Privacy Notice
- Safeguarding Training Policy
- Mental Health Policy
- Emergency Procedures Policy
- Health, Safety and Welfare Policy
Data Protection Policy
Data Protection Policy
Policy Statement
Skywise Educational Guardianship UK Ltd is fully committed to protecting the privacy and security of all personal information we hold about students, parents, homestays, schools, agents, and staff. We recognise our responsibilities under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This policy outlines how we collect, use, store, share, and protect personal data in the course of providing educational guardianship services.
For the purposes of this policy, Skywise is the data controller, and we are registered with the Information Commissioner’s Office (ICO) under registration number is ZB866296.
The purpose of this Policy is to explain how we handle personal information under the relevant data protection laws, and to inform employees and other individuals who process personal information on our behalf, of our expectations in relation to this.
Scope
This policy applies to the processing of personal information that is held by Skywise . This includes personal information about employees, volunteers, parents, students, homestays, visitors, and any other individuals who engage with us.
This policy should be read in conjunction with the Skywise Privacy Notice Policy.
Definitions
The following terms are used throughout this policy and it is important that you understand what they mean:
● Personal data: Any information relating to a person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
● Data subject: the identified or identifiable living individual to whom personal data relates
● Controller: A person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
● Processor: A person or organisation which processes personal data on behalf of the controller, and in accordance with their instructions.
● Processing: This is anything that you do with data, including collecting, recording, storing, using, analysing, combining, disclosing, or deleting it.
● Special category data: This is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It also includes genetic data, biometric data, and data concerning a person’s health, their sex life, and sexual orientation.
Roles and responsibilities
Skywise is the data controller, and we are responsible for complying with the UK GDPR.
● The Information Commissioner’s Office (ICO):Zhiying Zheng
Email: tina.zheng@skywisegroup.com
Phone: 07792 766329
● Data Protection Officer: Mrs Katherine Lee
Phone: 07809 721064
Email: katherine.lee@skywisegroup.com
The ICO/Director/Owner Zhiying Zheng has day-to-day responsibility for ensuring that this policy is implemented, adopted and adhered to by employees and all other individuals who process personal information on behalf of Skywise .
● Employees
All employees and any other individuals who process personal information on behalf of Skywise are responsible for complying with this policy in its entirety. Failure to comply with this policy may result in disciplinary action being taken, or the termination of an employment contract.
● Host Families
We collect and process a range of information from host families to facilitate safe and effective guardianship placements. This includes details provided on application and registration forms, CVs, and any photographs submitted for host family profiles. We retain confidential written references from the referees you nominate, notes taken during interviews and home visits, and records of our observations. Additionally, we collect and hold data supplied by the Disclosure and Barring Service (DBS), feedback received from students, and any feedback you may provide. We also record information relating to meetings, as well as communications via email, telephone, and written correspondence. Banking details are processed securely for the purpose of fee payments. This information is processed under the lawful basis of legitimate interest, to deliver the service you have requested and occasionally to inform you of other relevant services we believe may be of interest. You may opt out of this processing at any time by contacting our Data Protection Officer : Mrs Katherine Lee via email or telephone.
Data protection principles
The UK GDPR sets out several key principles which govern how Skywise handles personal information. Complying with these principles helps us to ensure that we comply with the law, and that our practices in relation to data protection are good.
The principles state that personal information must be:
● Processed in a way that is lawful, fair, and transparent (“lawfulness, fairness, and transparency)
● Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”)
● Adequate, relevant, and limited to what is necessary (“data minimisation”)
● Accurate, and where necessary, kept up to date (“accuracy”)
● Kept for no longer than is necessary (“storage limitation”)
● Processed in a way that ensures it is safe and secure, by means of appropriate technical and
● organisational measures (“integrity and confidentiality”)
The UK GDPR requires us to be able to evidence that we are complying with these principles. This is called the “accountability principle”.
Lawfulness, fairness, and transparency
We only process personal information where there is a lawful basis for doing so. The lawful bases
are as follows:
● Where the data subject has given us their consent to the processing
● Where processing is necessary for the performance of a contract, or to enter a contract, with the data subject
● Where processing is necessary to comply with a legal obligation that we are subject to
● Where processing is necessary to protect the vital interests of the data subject or another person
● Where processing is necessary for the performance of a task carried out in the public interest
● Where processing is necessary for the purposes of the legitimate interests pursued by
Skywise or by a third party, except where such rights are overridden by the interests or fundamental rights and freedoms of the data subject
● We will only process special category data where a lawful basis has been identified from the list
above, plus one from the following list:
● The data subject has given us their explicit consent
● The processing is necessary for the purposes of exercising or performing any right or obligation, which is imposed on Skywise in relation to employment, social security, and social protection law
● The processing is necessary to protect the vital interests of the data subject or another person, where the data subject is physically or legally incapable of giving consent
● The processing is necessary for the establishment, exercise, or defence of legal claims
● The processing is necessary for reasons of substantial public interest
● The processing is necessary for the assessment of the working capacity of an employee
● The principle of fairness means that personal information should be used in a way that the data
subject would reasonably expect.
The UK GDPR defines ‘consent’ as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
When we rely on consent as the basis for processing personal information, we will ensure that the data subjects can withdraw their consent as easily as they gave it, and at any time.
We will always use the most appropriate basis for processing personal information.
The principle of transparency requires us to ensure that any information provided by us to data subjects about how their personal information will be processed, is concise, easily accessible, easy to understand, and written in plain language.
Purpose limitation
We will be clear from the very beginning as to why we are collecting personal information and what we intend to do it.
We will only collect personal information for specified, explicit, and legitimate purposes, and we will not process information in any way that is incompatible with those purposes.
If things change, and we intend to use personal information for a different purpose, we will make sure that the new use is fair, lawful, and transparent. We will always inform data subjects before we use their personal information for a new purpose, and where the lawful basis relied upon for the original purpose was consent, we will obtain such consent again.
Accuracy
The personal information that Skywise collects and processes will be accurate and, where necessary, kept up to date, and will be corrected or deleted without delay when we are notified that the information is inaccurate.
All employees are required to update all relevant records if they become aware that any personal information is inaccurate.
Storage limitation
● We do not keep personal information for longer than we need it.
● We carefully consider how long we keep personal information for, and we justify our reasons for keeping it. Most of our retention periods are determined by legal timescales.
● We have a retention schedule in place which details the types of personal information we hold, the reasons for holding it, and the retention period. This schedule forms part of our Record of processing activities
● We regularly review the data we hold and delete or securely destroy it when we no longer need it.
Integrity and confidentiality
● We take our responsibilities under data protection laws very seriously and we will always ensure that we have appropriate security measures in place to protect the personal information we hold.
● This means that we will have appropriate measures in place to protect personal information against unauthorised or unlawful processing, accidental loss, destruction, or damage.
● Skywise employees are responsible for ensuring the security of the personal information
processed by them in the performance of their duties and tasks.
Keeping personal information secure
We have appropriate technical and organisational measures in place to ensure that we process personal information securely, and to prevent personal information we hold being accidentally or deliberately compromised.
● We enforce strong password policies; passwords are changed at appropriate intervals and are not shared or used by others
● We ensure that laptops, USB/memory sticks and other portable devices containing personal information are encrypted
● We have a firewall, anti-virus, and anti-malware software in place
● We restrict access to systems, so personal information is only accessible to those people who need to use it as part of their work
● Paper documents containing personal information are securely destroyed using a shredder when they are no longer required
Organisational measures
● We provide data protection awareness training to all employees during their induction and annually
● We have appropriate policies and procedures in place to ensure our employees fully understand their responsibilities under data protection laws
● We ensure that our employees and any other individuals who process personal information
● on behalf of Skywise Education, are aware of their individual responsibilities under data protection laws and how these apply to their areas of work
● We promptly investigate all suspected personal data breaches; we always make the appropriate external notifications (where applicable) and seek to learn any lessons from the incident to reduce the risk of recurrence.
● Paper documents containing personal information are securely locked away when not in use
● Paper documents containing personal information are securely destroyed using shredders when they are no longer needed
● Employees take every opportunity to ensure that the personal information we hold is accurate and kept up to date
● Employees do not disclose personal information to any unauthorised persons, both externally and within Skywise
● We regularly test, assess, and evaluate the effectiveness of the measures we have put in place, and act on the results of those tests where they highlight areas for improvement.
Managing personal data breaches
We have a procedure in place for managing and responding to personal data breaches. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Examples are personal data breaches include:
● Sending personal data to the wrong person
● Access to personal data by an unauthorised third party
● Devices or equipment containing personal data being lost or stolen
All suspected personal data breaches and security incidents must be reported without delay to
Data Protection Officer /Mrs Katherine Lee All personal data breaches will be investigated promptly and recorded on our internal data breach register.
Data Protection Officer /Mrs Katherine Lee is responsible for deciding whether a personal data breach needs to be reported to the ICO and data subjects.
Notifying the ICO and other external authorities
Where a personal data breach is likely to result in a risk to the rights and freedoms of a data subject(s), we will notify the ICO within 72 hours of becoming aware of the breach.
We may be required to notify a personal data breach to other external authorities. For example, we may be required to notify the Police or a funding authority. The DSL Ms Zhiying Zheng is responsible for agreeing to all external notifications.
Notifying data subjects
Where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject(s), Data Protection Officer /Mrs Katherine Lee will communicate the personal data breach to the data subject(s) without undue delay.
When informing the data subject(s) about the breach, we will provide in clear, plain language, the following information:
● Details about the nature of the breach
● The name and contact details of the organisational point of contact, who the data subject(s) can contact if they require further information
● The likely consequences of the breach
● Measures taken, or proposed to be taken, to address the breach including measures mitigate possible adverse effects
8. Responding to requests from individuals (‘rights of data subjects’)
The UK GDPR provides data subjects with a number of rights in relation to their personal information.
These are:
● The right to request a copy of the personal information we hold about them
● The right to request that inaccurate or incomplete information about them is rectified
● The right to request that their personal information is deleted
● The right to request that the processing of their personal information is restricted
● The right to data portability
● The right to object to the processing of their information
● The right to complain to the ICO if they are not happy with how their personal information has been processed, or they feel their data protection rights have been infringed.
We will try to respond to all requests without delay, and in any event within one month of receiving a request. There may be circumstances when we need to extend the time limit for responding to a request. We will tell the individual who has made the request if this is the case and keep them informed.
Before responding to a request, we may need to ask for further information and/or proof of the individual’s identity.
There may be exceptions to the rights outlined above; each request we receive will be reviewed on a case-by-case basis.
Data processors
Whenever we use a third party to process personal information on our behalf, we will always undertake appropriate due diligence and ensure a data processing agreement is in place.
We only use processors that provide us with sufficient guarantees about their security measures.
Record of processing activities
Skywise maintains a record of its processing activities, as is required under Article 30 of the UK GDPR.
This record is held in electronic format and contains the following information:
● Our organisation name and contact details
● A description of the personal information we process
● Categories of data subjects
● Purposes of the processing
● Recipients of the personal information
● The name of any countries or organisations outside the UK that we transfer personal information to, together with information about the safeguards in place
● Retention periods
● A general description of our technical and organisational security measures e.g. encryption, access controls, and training.
We regularly review the personal information we process and update this record accordingly.
This record will be made available to the ICO, if requested.
Data Protection Impact Assessments (DPIAs)
A Data Protection Impact Assessment (DPIA) is a process that helps us to identify and minimise the data protection risks associated with a project, process, or activity involving the processing of personal information.
We are required to carry out a DPIA for any processing that is likely to result in a high risk to individuals. We will also carry out a DPIA for any other major project which requires the processing of personal information, because it is good practice to do so.
The DPIA will:
● Describe the nature, scope, context, and purposes of processing
● Assess necessity, proportionality, and compliance measures
● Identify and assess risks to individuals
● Identify any additional measures to mitigate those risks
We will record the outcome of the DPIA and implement the measures identified.
AEGIS
As part of the accreditation process, Skywise is required to send the AEGIS office a copy of the contact details for all their homestays, partner schools and parents. They will also provide the names of the students. This data is held securely by AEGIS and is destroyed once the inspection process is finished.
Further Information
For full details on your rights or to lodge a complaint, you may contact the Information Commissioner’s Office (ICO):
Website: www.ico.org.uk
Helpline: 0303 123 1113
Policy Review
This policy will be reviewed annually or in response to any significant changes in legislation, operational procedures, or following a serious incident.
Last Reviewed: Mrs Katherine Lee 01/03/2025
Next Review Due: 01/03/2026
