Data Protection Policy, May 2018

Joan Henderson Education Mentor is committed to the protection of all personal and sensitive data for which she holds responsibility as both the Data Controller/Data Processor and the handling of such data in accordance with the General Data Regulation (GDPR) May 2018.

The GDPR (Regulation(EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission will strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the Eu. GDPR 2018 will replace the data protection directive (official Directive 95/46EC) from 1995. The new Regulation was adopted on 27th April 2016 and came into force on the 25th May after a two-year transition period.

The following guidance is not a definitive statement on the Regulations, but it seeks to interpret relevant points where they affect the work between Joan Henderson Education Mentor and staff and schools.

The regulations cover both written and computerised information and the individual’s right to see such records.

Joan Henderson has overall day to day responsibility for data protection.

Good information handling: –
• All personal data is processed fairly, lawfully and in a transparent manner.
• All personal data is processed in a manner with the purpose for which it was obtained.
• All personal data is adequate, relevant and not excessive for the purpose it was intended for.
• Personal data is accurate and where necessary kept up-to-date.
• Personal data is not kept for any longer than is necessary for the purpose it was obtained.
• All personal data is kept secret.

Data held: –
• Names of individuals
• Postal addresses
• Email addresses
• Telephone numbers
• Any information relating to individuals
• Photographs of best school practice for educational training purposes

This policy helps to protect Joan Henderson Education Mentor from some very real data security risks including:-
• Breaches of confidentiality e.g. information given out inappropriately.
• Failing to offer choice e.g. all individuals should be free to choose how Joan Henderson Education Mentor uses data relating to them, unless it is required by contract or legal reasons.
• Reputational damage e.g. Joan Henderson Education Mentor could suffer if hackers successfully gain access to sensitive data.

Collection of data, its storage and how it is handled.
Ensuring the system, services and equipment used for storing data meet acceptable security standards.
Ensuring that regular checks and scans are made to ensure security hardware and software is functioning correctly.
Arranging for CCG Solutions company is managing the storage of data.

Data should not be shared informally.
All data is kept secure, following all the guidelines.
Strong passwords are used taking advice from CCG Solutions
Personal data is not disclosed to unauthorized people.
Where data is out of date or no longer required, it should be deleted and disposed of.

Data Storage
All data on paper is stored in a secure place.
All papers are not left for unauthorized people to view.
Data print outs should be shredded
Electronical storage
Data should be protected by strong passwords, changed regularly
Data is only stored on drives within the Synology server and regularly backed up.
Data should not be saved directly to laptops. All servers and computers containing data are protected by approved software and a firewall established and managed by CCG Solutions.

Data Accuracy
Data is held on Joan Henderson Education Mentor’s computer system.
Every opportunity should be taken to ensure date is up to date, during telephone calls or visits.
All data should be updated as inaccuracies are discovered, and previous information deleted.

For the purposes of the Regulations, personal and special categories of personal data will cover information relating to: –

• Name and contact details
• Email address
• School of work
As a rule, consent is required to obtain and record information. It should also be noted that all information or details received from people or schools was shared with the Principal’s permission. Retrospective consent should be sought the earliest convenience where it is not reasonable to obtain consent at the time data is first recorded.

Obtaining consent
Consent may be obtained in several ways depending on the nature of the work, training and consent must be recorded on or maintained with the Principal/Teacher records:
• Face-to-face or written using a written proforma
• Telephone with verbal consent being sought and recorded giving details of agreement e.g. who, what and when and secured in a safe location.
• Email seeking consent during the initial response.

Consent obtained for one purpose cannot automatically be applied to all uses e.g. where consent has been obtained from a service user in relation to information needed for the provision of that service (training of staff), separate consent would be required if for example, direct marketing of school environments through blogs.
Preliminary verbal consent should be sought at point of initial contact as personal /or training service of personal data will need to be recorded either in an email or on a computerized record. The verbal consent is to be recorded and secured on the computer or stated in the email for future reference. Although written consent is the optimum, verbal consent is the minimum requirement.
Specific consent for use of any photographs and or videos taken should be obtained in writing. Such medial could be used for, but not limited to, training material, social media, and the website.
Consent should also indicate whether agreement has been given to their name being published in any associated publicity. If the subject is less that 18 years of age, then parental /guardian consent should be sought.
Individuals have a right to withdraw consent at any time. This could affect the provision of a service or the delivery of future training.

Security of personal information
Unlawful disclosure
1. It is an offence to disclose personal information ‘knowingly and recklessly’ to third parties.
2. It is a condition of receiving a service that all service users for whom we hold personal details sign a consent form allowing us to hold such information.
3. An individual’s consent to share information should always be checked before disclosing personal information to another agency.
4. Personal information should only be communicated on a strict need to know basis. Care should be taken to respect this right in a dignified and private manner.

Cloud Computing
When commissioning cloud-based systems, through CCG Solutions, Joan Henderson Education Mentor will be respectful as to the compliance of data protection principles and robustness of the cloud-based providers.
Currently cloud based data management systems are used to hold and manage information e.g. email addresses, Power point presentations Key note presentations, photographs, website through member sign up details or online workshop ticket purchases.

Electronic Data
Business Solutions provide Joan Henderson with both IT services and a hosted server, which holds all electronic data to include personal information on schools, training, email addresses of stakeholders. Access is password protected and restricted to named users, with different level of access to each use on the need to know basis to be able to carry out work.
User passwords will have a minimum of 7 characters and must meet complexity requirements. The user gets locked out after 3 failed attempts, and their account does not automatically unlock after a period, it must be unlocked by the administrator.

The website is stored and maintained in a secure encrypted cloud-based server located in it has antivirus software and firewall protection, with A SSl certificate in place. The website users are limited to the services to reduce the risk of hacking. Payment details for purchases are processed by STRIPE through their payment gateway.

The use of cookies is to help the user get the best experience from its website. Users are given the option to remain or to be kept updated.

Privacy Notice
Joan Henderson Education Mentor recognises the importance of protecting personal and confidential information in everything that she does, she takes her legal duties seriously. She has established a reasonable technical, security and procedural controls required to protect your personal information, in whatever format your information is in.

What your information is used for: –
Managing our professional working relationship.
To provide you with a mentoring/professional training service.
To administer payments relating to workshops, in house training and professional mentoring.
To administer an effective and efficient business relationship. Managing finances, business capability, planning and communications.
Types of personal information held: –
Personal details such as names, addresses, schools address and telephone numbers.
Financial details, including payments to Joan Henderson Education Mentor by staff and payments made by Joan Henderson Education Mentor for services and required.
Details of when you contact her or when Joan contacts you (including copies of written communications such as emails, letters, flyers, requests and costings for work requested).
Details of workshops/ training programmes purchased.
Any consents which you have given Joan in relations to the processing of your information or use of photographs used.
Details of use of services offered and feedback received.

Personal information you provide: –
When you contact her regarding training offered within school, workshops or events.
When you use the website or services.
When you request to be keep informed on the website.

Your personal information may be used to update you in relation to relevant training options, programmes/ opportunities being offered unless you request not to receive or withdraw your consent. If you want to withdraw your consent, please: –
Follow the unsubscribe link on the website. Call Joan at 07557192815 to inform her that you do not wish to receive any messages or emails.

Right to Access
You have the right to request a copy of the personal data that we hold about you by contacting Joan at Please include with your request, information that will enable Joan to verify your identity. She will respond within 30 days of request. Please note that there are exceptions to this right. She will be unable to make all the information available to you if, for example, making the information available to you would reveal personal data about another person, if she is legally prevented from disclosing such information, or if your request is manifestly unfounded or excessive.

Joan aims to keep your personal data accurate and complete. She encourages you to contact her using the contact details provided below to let her know if any of your personal data is not accurate or changes, so that she can keep your personal data up-to-date.

Right to erasure
You have the right to request the deletion of your personal data where, for example, the personal data are no longer necessary for the purposes for which they are collected, where you withdraw your consent to processing, where there is no overriding legitimate interest for Joan to continue to process your personal data, or your personal data has been unlawfully processed. If you would like to request that your personal date is erased, please contact Joan at

If you believe that your data protection rights may have been breached, and Joan has been unable to resolve your concern, you may lodge a complaint with the applicable supervisory authority or to seek a remedy through the courts. Please visit more information on how to report a concern to the UK Information Commissioner’s Office.

Changes to Policy
Any changes to the Policy in the future will be posted on the website.
What to do if there is a breach
Joan should take action to determine whether it needs to be reported to the Information Commissioner. Breaches to the ICO must be notified no later that 24 hours after the detection of the personal data breach.
Any deliberate or reckless breach of this Data Protection Policy is very serious.

The rights of an individual

Personal data cannot be held without the individuals consent.
Data cannot be used for the purposes of direct marketing of any services if the person has declined their consent to do so.
Individuals have the right to have their date erased and to prevent processing in specific circumstances:
• Where data is no longer necessary in relation to the purpose for which is was originally collected.
• When an individual withdraws consent.
• When an individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
• Personal data was unlawfully processed.