Company Policies

Data Protection Policy

Time:2021-05-26 17:11:07  Click:0

Data Protection Policy

Policy Statement

According to all statutory requirements of The Data  Protection Act 1998, Oxford Education Services Ltd (OES) will take all  reasonable steps to ensure the accuracy and confidentiality of the information,  such as the personal details of students, parents, host families and so on. As  a guardianship company, we need to gather and use certain information about  individuals. However, all the personal data will be collected, handled and  stored to meet the data  protection standards, and to comply with the legislation. The principles  of this Act are considered when sharing confidential information when legally  permissible and when in the interests of the child. OES adhere to the  principles of UK GDPR (UK General Data Protection Regulation)  and the Data Protection Act 2018 which are to  ensure that the information is:

- used fairly and lawfully

- used for limited, specifically stated purposes

- used in a way that is adequate, relevant and not excessive

- accurate – kept for no longer than is absolutely necessary

- handled according to people’s rights

- kept safe and secure

- not transferred outside the UK without adequate protection

This policy has been updated to  comply with the UK General Data Protection Regulation (UK GDPR) 2018.Our company’s policy aims to provide  information about how our company collects personal data, to use the  information fairly, to store safely and not  disclosed unlawfully. Please see the details below:


Why this policy exists:

This data protection policy ensures Oxford  Education and Services:

  • Complies with data protection law and follows good practice;

  • Protects the rights of staff, parents, students, homestays and  partners (such as schools);

  • Is open about how it stores and processes individual’s data;

  • Protects itself from the risk of data breach.

The Information Commissioner’s Office

The  Information Commissioner’s Office (ICO) is “the UK’s independent authority set  up to uphold information rights in the public interest, promoting openness by  public bodies and data privacy for individuals” (ICO website). It is  responsible for administering the provisions of the Data Protection Act 1998;  the Freedom of Information Act 2000; and the General Data Protection Regulation  2018.

The Act  requires every data controller who is processing personal information to  register with the ICO (unless exempt). Oxford Education and Services is  registered with the ICO as a data controller, and this is renewed annually (Registration  reference: ZA000173).

The ICO  publishes a Register of data controllers on their website, on which Oxford  Education and Services is listed.

The Data Protection Act 1998

Directives  lay down certain results that must be achieved but each Member State is free to  decide how to transpose directives into national laws. EU directives are  addressed to the member states, and are not legally binding for individuals in  principle. The member states must transpose the directive into internal law –  Acts. Directive 95/46/EC on the protection of personal data had to be  transposed by the end of 1998, when it became now as The Data Protection Act  1998.

The Act  protects individuals’ rights concerning information about them held on computer  and in any Oxford Education and Services personnel files and databases. These  rules apply regardless of whether data is stored electronically, on paper or  other materials.

To comply  with the law, personal information must be collected and used fairly, stored  safely and not disclosed unlawfully.

The Freedom of Information Act 2000

The  Freedom of Information Act 2000 provides public access to information held by  public authorities, in two ways:

  • Public  authorities are obliged to publish certain information about their activities;  and

  • Members of the  public are entitled to request information from public authorities.

General Data Protection Regulation 2018

Regulations  have binding legal force throughout every Member State and enter into force on  a set date in all the Member States. The General Data Protection Regulation  (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy  for all individuals within the European Union.

GDPR  replaces the 1995 Data Protection Directive (Directive 95/46/EC) -The Data  Protection Act 1998. Although the key principles of data privacy still hold  true to the previous directive, many changes have been proposed to the  regulatory policies.

The GDPR  places greater emphasis on the documentation that data controllers must keep to  demonstrate their accountability. Compliance requires organisations to review  their approach to governance and how they manage data protection as a corporate  issue.

Following the  UK’s exit from the EU, the GDPR is retained in domestic law, but the UK has the  independence to keep the framework under review. The ‘UK GDPR’ sits alongside  an amended version of the DPA 2018. The government has published a‘Keeling Schedule’ for the UK GDPR,  which shows the amendments.

The key  principles, rights and obligations remain the same. However, there are  implications for the rules on transfers of personal data between the UK and the  EEA.

This  Oxford Education and Services Data Protection policy applies to personal data  as defined by the Act – that is, data from which a living individual can be  identified, either from data alone, or from that data and other information  that is held by the data controller. This includes information held on the  computer, paper files, photographs etc.

This  policy applies to the main office of Oxford Education and Services (OES), all  staff and volunteers of OES, and all homestays and other people working on  behalf of OES. The scope of the policy applies to all data held by OES relating  to identifiable individuals. Everyone who works for OES has responsibility for  ensuring data is collected, stored and handled appropriately – all must ensure  personal data is handled and processed in line with this policy and data  protection principles.

Staff Guidelines

  • Personal  data should not be shared informally – it should not be sent by email – this  form of communication is not secure;

  • Personal  data must be encrypted before being transferred electronically. Webmail is the  way to access OES emails outside of Outlook or other email client/software.  Only people with access details are permitted to access the Qiye webmail  system. The webmail is password protected, and this needs to be a specific  strength to work;

  • Employees  should not save copies of personal data to their own computers/laptops.

  • Employees  should keep all data secure, taking sensible precautions and following these  guidelines;

  • Strong  passwords must be used, and never shared;

  • Personal  data should not be disclosed to unauthorised people, either within OES or  externally;

  • Data  should be regularly reviewed and updated if found to be out of date. If no  longer required, it should be deleted and/or disposed of;

  • When  not in use, paper format data or files (for instance, DBS applications) should  be kept in a locked drawer or filing cabinet;

  • Employees  should make sure paper and printouts are not left where unauthorised people  could see them, for instance, on a printer;

  • Data  printouts should be shredded and disposed of securely when no longer required;

  • When  working with personal data, employees should ensure computer/laptop screens are  always locked when left unattended;

  • Where  data is stored electronically, it must be protected from unauthorised access,  accidental deletion and malicious hacking attempts;

  • If  data is stored on removable media (for instance, a CD or USB), these should be  encrypted and kept locked away securely when not in use;

  • Data  should only be stored on designated drives and servers, and/or approved cloud  computing services;

  • Data  should be backed up frequently, and backups should be tested regularly;

  • All  servers and computers containing data should be protected by approved security  software and a firewall;

  • Personal  data should never be saved directly to laptops or other mobile devices like  smart phones or tablets, unless encrypted.

How  we collect the data

OES may need to acquire the personal information from students,  parents,host families and schools.

For the students and parents’ information is provided by the parents or  educational agencies. It can include the student and the parents’ full name,  contact number, home address, school information, passport information, medical  information etc.

For the host families’ information is normally provided by themselves  when they apply for a work partnership with us. It can include their full name,  family members,home address, contact number, occupation, photos of the property  etc.

For the school’s information is provided by the students, parents or  educational agencies, as a guardianship organisation, we will need to contact  the school while the students’ in the UK. It can include the school’s name,  housemaster/mistress’ contact details, personal tutor’s contact details etc.

OES may use this information to:

  • Carry  out our obligations arising from any contracts/ agreements entered into by you  and us;

  • Contact  parents, students, homestays and schools;

  • Undertake  administrative functions (for example, HR, contact referees);

  • Process  DBS applications;

  • Compile  marketing lists (e.g. for newsletter and conferences);

  • Handle  complaints;

  • Conduct  research;

  • Share  anonymous details with 3rd parties for the purpose of obtaining professional  advice;

  • Understand  people’s views and opinions (for example, via feedback forms);

  • Send  out information that OES thinks might be of interest to others;

  • Improve  our services;

  • Comply  with legal and regulatory obligations;

  • As  part of the accreditation process, OES is required to send the AEGIS office a  copy of the contact details for all their homestays, partner schools and  parents. They will also provide the names of the students. This data is held  securely by AEGIS and is destroyed once the inspection process is finished.

Who  we share the data with

OES recognises that keeping children safe from  harm requires the early, effective sharing of information and is a vital  element of safeguarding and child protection, as per ‘Information Sharing’  March 2015 and ‘Working Together To Safeguard Children’ 2018: “Effective  sharing of information between professionals and local agencies is essential  for effective identification, assessment and service provision”

In addition, we recognise the need for  confidentiality of their student, school, host family, staff and transfer  company records and works in adherence to UK GDPR and the Data Protection Act  2018. (Refer to Confidentiality and General Data Protection Regulation Policy)

In the case that a child is believed to have  been put at risk or is likely to be put at risk of harm, staff will use their  professional judgement when making decisions on what information to share and  when. As per HM Government Information Sharing Advice for Safeguarding  Practitioners 2015, UK GDPR, “The Data Protection Act 2018 and human rights law  do not prevent the sharing of information for the purpose of keeping children  safe, but a framework to ensure that organisation and individuals process  personal information fairly and lawfully and keep the information they hold  safe and secure.“

Our company procedures should be followed and  staff should consult with their manager if in any doubt. Such decisions on  disclosure should be proportionate to the extent of the harm that a child may  be or has been exposed to. Where any doubt exists about sharing the information  concerned, advice will be sought from other practitioners without disclosing  the identity of the individual where possible.

We will be open and honest with the individual  (and/or family where appropriate) from the outset about why, what, how and with  whom information will, or could be shared, and seek their agreement, unless it  is unsafe or inappropriate to do so.

We will share with informed consent where  appropriate and, where possible, respect the wishes of those who do not consent  to share confidential information.

We understand that information can still be  shared without consent if, in our judgement (based on facts), there is good  reason to do so, such as where safety may be at risk. When sharing or  requesting personal information from someone, Oxford Education staff will be  aware of the basis upon which they are doing so. Where Oxford Education have  consent to share information, staff are mindful that an individual might not  expect information to be shared.

We consider the safety and well-being of the  individual and others who may be affected, when forming information sharing  decisions.

We will only share information which is  necessary for the purpose for which the information is being shared, will share  information only with those individuals who need to have the information, will  ensure the information is accurate and is shared in a secure and timely  fashion.

For the students' data, we normally share it with the schools and the  host familles. Under some special circumstances, it will be needed to share  with the local authorities/services, such as medical or safety issues.

For the host families’ data, we normally share it with the parents,  students and schools if the student will stay with the host during the period  of time.

For the school’s data, we normally share with the students and parents  only.

OES does not share any data with any third party without the permission.

As  the host families will hold on  some personal information for the students while they are hosting. OES will  expect that the host families will not give the students’ information to  anthers and keep it securely. Sometimes, the information can be provided to  others under special situations, such as medical emergencies and child safety.  However, we would like to be reported.

How  to store the data

Most data will be stored securely in our database and be set up with  passwords, which is the director’s laptop. For instance, the students and  parents’ personal information will be set up in a document folder and named as  guardianship document. Employees cannot access personal confidential  information without director’s permission. Employees do not save copies of  personal data to their own computers/laptops.

Any photocopy of personal data is stored in the drawers with a locker at  the director's office, e.g., a photocopy of the passport, BRP card or other  documents. Only the director has the keys to access those documents. We also  keep and secure the original documents in the cabinet with a locker at the  staff office, such as students’ school reports, contracts or other information  which is received from schools etc.

Data  accuracy

The law requires  OES to take reasonable steps to ensure data is kept accurate and up to date as  possible. It is the responsibility of all employees and people working with  OES, who work with data, to take reasonable steps to ensure it is kept accurate  and as up to date at possible.

  • Data  should be held in as few places as necessary. Staff should not create any  unnecessary additional data sets;

  • Staff  should take every opportunity to ensure data is updated, for instance, details  can be updated when a parent calls;

  • OES  will make it easy for data subjects (for instance, homestays and parents) to  update their own information OES holds about them;

  • Any  data inaccuracies should be corrected as soon as discovered, for instance if a  member can no longer be reached on their stored telephone number, this should  be removed from the database).

Retention  period of information

For students, the retention period is to scan all necessary documents  and stored in our database then the original paper will be shredded  immediately. We normally will keep the information for them while under our  guardianship or one year from leaving. The paperwork will be shredded if there  is no longer needed.

For host families, all information will be stored in our database  securely. We will remove the information once the host family no longer hosts  our students.

For schools, all information will be kept and handled by the software (Mail  Master) if it is necessary when we have the students who are currently studying  there, as most information is the teachers’ email addresses or houseparents  contact details etc. We will remove the information when the students leave the  school.

This policy will be reviewed as it is deemed appropriate, but no less  frequently than every 3 years. The policy review will be undertaken by the  manager or director.
 If you have any enquiries in relation to this policy, please contact the  manager, Dr. Iling Lee. The contact number is 01865240616 or send an email:

Data protection risks

This policy helps to protect OES from data security risks including:

  • Breaches  of confidentiality, for instance: information being given out inappropriately;

  • Failing  to offer choice, for instance: all individuals should be free to choose how the  company uses data relating to them;

  • Reputational  damage, for instance: the company could suffer if hackers successfully gained  access to sensitive data.

Accessing your information

Under the Act, an individual is entitled to ask OES:

  • For a  copy of the personal information held by OES;

  • For  any inaccuracies to be corrected;

  • How  to gain access to such data;

  • How  they are meeting their data protection obligations.

Such requests are known as ‘subject access requests’. Such requests  should be made either via email or via the post.

Email requests should be addressed to the data controller at .

Postal requests should be submitted to: 43 Hythe Bridge Street, Oxford,  OX1 2EP

There is no administration charge for any subject access request. The  data controller will aim to provide the relevant data within 14 working days.  The data controller will always verify the identity of anyone making a subject  access request before handing over any information.


We are  committed to reviewing our policy and good practice annually.

This policy  was last reviewed on: …02/ Dec/2020…………………………(date)

Signed: ….202103260852199912.jpg……………………………………………………………………

Date:  ……02/12/2020……………………………………………………………………