DATA PROTECTION POLICY STATEMENT
- Last revision approved on: Mar 28th, 2021
- Policy operational since: Nov 17th, 2017
- Next review date: Mar 20th, 2022
House of Knowledge (HK, 10360378Q) is a Platform with the mission to enable change through access to international professional and general educational opportunities via partnerships with academic and professional bodies. We are providing wide range of learning and consulting support, as well as communication to create and exchange knowledge for the benefit of society.
As such the Platform needs to obtain and process certain information about our staff, contractors, learners and participants of the activities to allow us to register and organise events, programmes, and carry out other essential activities.
The information we collect is used fairly, stored safely and not disclosed to any other person unlawfully. To do this, we comply with the relevant legislation indicated below.
The Platform’s need to communicate and share personal data with the partners to ease and facilitate learning process of the participants of various programmes also presents some data protection risks. The platform needs to collect, use and share personal information about programmes’ and certifications candidates/students, staff and other individuals in order to deliver services, exercise its responsibilities and duties of care as an employer and provider of services and fulfil its legal and contractual obligations.
House of Knowledge provides information and services to learners all around the world, and as such the services provided as well as products obtained via HK are governed by applicable Data Protection legislations, namely:
- The European General Data Protection Regulation ((EU) 2016/679) (hereinafter referred as the “GDPR”), and
- The UK Data Protection Act 2018 (for students enrolling to Heriot-Watt University and Chartered Institute of Procurement and Supply); and/or
- Legislation on personal data protection of Ukraine as defined by the Law on Personal Data Protection (for students enrolling to Programme and Project Management), or
- any other corresponding or equivalent national laws or regulations, once in force and applicable,
and includes any judicial or administrative interpretation of them, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any applicable Supervisory Authority.
These laws require the platform to collect, process, store and protect personal information and control how it is used in accordance with the legal rights of the data subjects – the individuals whose personal data is held.
All staff, candidates, students and other data subjects are entitled to know
∙ Why information is gathered, stored and where the body, requesting the information, is located;
∙ Which third parties have access to their personal data;
∙ How to gain access to the own personal information;
∙ How to keep it up to date;
∙ What the Platform is doing to comply with its legal obligations
This policy and its supporting procedures and documents aim to ensure that the platform complies with its obligations as a Data Receiver/Controller/User under all applicable legislations, and processes all personal data in compliance with the Data Protection Principles.
In summary, these state that personal data shall:
- Be obtained and processed fairly and lawfully
- Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
- Be adequate, relevant and not excessive for those purposes.
- Be accurate and kept up to date.
- Be kept for no less and no longer than a time span identified by relevant laws for every respective area.
- Be processed and protected in accordance with the rights of data subjects.
- Be kept safe from unauthorised access, accidental or deliberate destruction or unauthorised change.
Misuse of personal data, whether accidental or deliberate loss or disclosure to third parties, presents significant legal, financial and reputational risks.
In order to manage these risks, this policy sets out responsibilities for all managers, staff, partners and contractors, and anyone else who can access or use personal data in their work with the platform.
The policy incorporates framework of governance and accountability for data protection by maintaining:
- Confidentiality: protecting information from unauthorised access and disclosure
- Integrity: safeguarding the accuracy and completeness of information and preventing its unauthorised amendment or deletion
- Availability: ensuring that information and associated services are available to authorised users whenever and wherever required
What information is included in the Policy: This policy applies to all personal data created or received in the course of business in all formats, of any age. Personal data may be held or transmitted in paper and electronic formats or communicated verbally in conversation or over the telephone.
Who is affected by the Policy Data subjects: These include, but are not confined to: prospective applicants, applicants to programmes and posts, current and former learners and students, alumni, current and former employees, family members where emergency or next of kin contacts are held, workers employed through agencies, external researchers, visiting scholars and volunteers, potential and actual donors, customers, conference delegates, people making requests for information or enquiries, complainants, professional contacts and representatives of funders, partners and contractors.
Users of personal data: The policy applies to anyone who obtains, records, can access, store or use personal data in the course of their work for the platform. Users of personal data include employees and students of the partners of the platform, contractors, suppliers, agents, platform partners and external researchers and visitors.
Where the Policy applies: This policy applies to all locations from which platform personal data is accessed including home use. As the platform operates internationally through arrangements with partners in other jurisdictions the remit of the policy shall include such overseas collaborations and international activities and shall pay due regard to non-European legislation that might be applicable.
The platform will apply the Data Protection Principles to the management of all personal data throughout the information life cycle by adopting the following policy objectives.
- Use proportionate privacy impact assessment to identify and mitigate data protection risks at an early stage of project and process design for all new or updated systems and processes that present privacy concerns and in managing upgrades or enhancements to systems used to process personal data
- Adopt data minimisation: we will collect, disclose and retain the necessary minimum personal data for the minimum necessary time for the purpose
- Process personal data fairly and lawfully
- Treat people fairly by using their personal data for purposes and in a way that they would reasonably expect
- Get informed consent in the manner prescribed by law
- Inform data subjects what we are doing with their personal data by explaining in a clear and accessible way: What personal data we collect, For what purposes and why we need it; How we use it and how we will protect their personal data; to whom we may disclose it and why; where relevant, what personal data we publish and why
- We publish this information on our portal and/or where appropriate in printed formats.
We review the content of these Privacy Notices regularly and inform our data subjects of any significant changes that may affect them. We will provide simple and secure ways for our students, staff and other data subjects to update the information that we hold about them such as home addresses.
Where we process personal data to keep people informed about platforms’ activities and events, we provide in each communication a simple way of opting out of further marketing communications. In this way we provide accountability for our use of personal data and demonstrate that we manage people’s data in accordance with their rights and expectations.
Upholding individual’s rights as data subjects
This means that we uphold individuals’ rights to
- Get access to their personal data, responding to requests for their own personal data (subject access requests) in a fair, friendly and timely manner
- Object to processing that is likely to cause or is causing unwarranted and substantial damage or distress
- Object to decisions being taken by automated means
- Have inaccurate personal data rectified, blocked, erased or destroyed under certain circumstances
Protection of personal data
This policy applies to all personal data that we collect, process, hold and may hold relating to any individual in order to provide the named services and activities of the platform. This may include:
- national and international passport data, ID;
- date of birth;
- marital status and maiden names;
- contact information such as: email address, telephone numbers, messengers IDs, home and business address;
- authentication information;
- Student numbers, registration numbers, results of exams and other information needed to support your study process;
- contents of present and previous requests and subsequent communications;
- payment information, reviews information, antifraud score, devices, bonus points;
- order data, including user details, order content, delivery address, order price, tracking number, delivery status history;
- bank account details, legal details, other contract information;
- information about employment, education, interests;
- any other personal data that may indicate the identity and/or the address and/or the credibility and/or the financial status and/or employment and/or disability or special considerations circumstances and/or criminal convictions status and/or any personal preferences of the data subject.
The policy informs that we do:
- Control access to personal data so that staff, contractors and other people working on platform business can only see such personal data as is necessary for them to fulfil their duties
- Require all staff and contractors, who have access to personal data in the course of their work to complete basic data protection training, relevant to their specific roles
- Set and monitor compliance with security standards for the management of personal data
- Take all reasonable steps to ensure that all suppliers, contractors, agents and other external bodies and individuals who process personal data for the platform enter into our Data Processor Agreements and comply with instructions
- Maintain Data Sharing Agreements with educational partners and other external bodies with whom we may need to share student, staff personal data to deliver shared services or joint projects to ensure proper governance, accountability and control over the use of such data
- Manage all subject access and third-party requests for personal information about staff, students and other data subjects in accordance with our Procedures for responding to requests for personal data
- Make appropriate and timeous arrangements to ensure the confidential destruction of personal data in all media and formats when it is no longer required for platform business and under applicable legislation, whichever occurs later.
- Retain personal data only as long as required
LINES OF RESPONSIBILITY
All users of platform information are responsible for:
- undertaking relevant training and awareness activities provided by the platform to support compliance with this policy
- taking all necessary steps to ensure that no breaches of information security result from their actions
- reporting all suspected information security breaches or incidents promptly so that appropriate action can be taken to minimise harm.
- informing the platform of any changes to the information that they have provided to the platform in connection with their employment or studies, for instance, changes of address
The Attorney General of the platform bears ultimate accountability for the platform’s compliance with data protection law.
The Academic Director has senior management accountability for information governance including data protection management and for providing proactive leadership to instil a culture of information security within the platform through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities.
All Heads of Programmes, Projects and Professional Services divisions (the Heads) are responsible for implementing the policy within their business areas, and for adherence by their staff.
The Assigned Information Services provider is responsible for ensuring that centrally managed IT systems and services take account of relevant data protection risks and are integrated into the information security management system and for promoting good practice in IT security among relevant staff.
The team members of Student Support and Relations Department are responsible for ensuring that controls to manage the physical security of the platform take account of relevant data protection risks and are integrated into the information security management system.
Attorney General, Academic Director and dedicated Heads of Programmes, Projects and Professional Services divisions form Data Protection Board (DP board)
In all cases the Heads of relevant programs bear the responsibility of data protection officers, responsible for:
- keeping the DP board updated about data protection responsibilities, risks and issues;
- reviewing all data protection procedures and related policies, in line with an agreed schedule;
- arranging data protection training and advice for the people covered by this policy;
- handling data protection questions from staff and anyone else covered by this policy;
- query processing and interacting with clients who share information on conducting an audit to comply with data protection requirements (where the audit is provided for by agreements)
- dealing with requests from individuals to see the personal data HK holds about them (also called ‘subject access requests’);
- checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
If the Head of the Programme is not appointed or for any reason is not in place to meet the responsibilities, Academic Director will take these responsibilities until the Head of the Programme is appointed or in place to meet his/her responsibilities.
- The DP board through HK specialized employees and or third parties (contractors), is responsible for:
- ensuring all systems, services and equipment used for storing data meet acceptable security standards;
- conduct appropriate background checks and due diligence checks on all third parties to whom HK may send personal data. Before entering into an agreement with such thirds parties HK must be sure that the third party is meets the highest standards on personal data protection and such thirds parties have in force adequate and proper policies and manuals. Such transfer is made only after entering into agreement with such third parties and the third parties will process only such personal data only for the reason and/or under the provisions of such agreement(s);
- after entering into an agreement with a third party and from time to time and as the DP board deems necessary; to conduct an audit and/or inspection to third party to whom personal data have been sent in order to determine whether the third party still meets HK standards on personal data protection and still maintains adequate and proper policies and manuals and complies with its contractual obligations. If a violation is found, HK will exercise any/all contractual and legal rights;
- performing regular checks and scans to ensure security hardware and software is functioning properly;
- evaluating any third-party services, the company is considering using to store or process data. For instance, cloud computing services.
The compliance officer is responsible for:
- approving any data protection statements attached to communications such as emails and letters;
- addressing any data protection queries from journalists or media outlets like newspapers;
- where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
MONITORING AND EVALUATION
The Attorney General and The Academic Director under support of Assigned Information Services provider monitors new and ongoing data protection risks and update the information security risk register.
The Head of Students Support and Relations Department will liaise with Assigned Information Services provider to ensure that IT security risks related to data protection are prevented, captured on the register and escalate and resolve where necessary. The Head of Students Support and Relations Department is responsible for escalating major risks arising from a breach of information security, or other major issues that affect strategic and operational risks, promptly to relevant partners and management.
The Attorney General is also responsible for meeting any reporting requirements of external regulatory bodies.
As part of the platform’s internal audit programme, the Attorney General will instruct the platform’s Internal Auditors to audit the management of information security risks and compliance with relevant controls, as required.
This policy is implemented through the development, implementation, monitoring and review of the component parts of the platforms information security management systems.
- Assurance that the only people able to access data covered by this policy should be those who need it in order to provide support services
- Assurance that HK has non-disclosure agreements with all its employees and any other person either legal or not who will have access to the personal data
- Assurance that staff employed undertake information risk assessments to identify and protect confidential and business critical information assets and IT systems
- Coordination of effort between all team and Assigned Information Services provider to integrate, IT, physical security, people, information management, and risk management and business continuity to deliver effective and proportional information security controls
- Review and refresh of all relevant policies and procedures
- Generic and role specific training and awareness
- Embedding information governance requirements into procurement and project planning
- Information security incident management policies and procedures
- Monitoring compliance and reviewing controls to meet business needs
With regards HK ’s communications, network systems and software used data the following should apply:
- all work communication shall be carried out via emails in business accounts or approved chats in application and/or software such as “telegram”, “messenger”, etc. Such chats are completely private individual or group chats;
HK ’s managers are admins of such chats. Group chatting is supervised by the assigned managers to seek compliance with this policy and regulations applied;
- all systems used to store, process and/or share data have the required level of protection. Managers get access to systems only through internal secured ethernet or via individual business account. Managers, who get access to the relevant sections of the systems, have individual strong passwords, that are never to be shared
- all employees’ accounts, who are not working anymore with the data, are timely removed from relevant programs, groups, chats and group accounts;
- on-site Wi-fi networks are divided into two categories: secured ethernet network for employees and public wi-fi network for visitors. Public wi-fi network is completely separate and has no access to what-so-ever internal resources.
- when sensitive or personal information has to be shared with third parties, all documents are shared with a strong password or similar level of protection. Managers are responsible to supervise that the rules regarding communication are followed by all employees.
These rules describe how and where data should be safely stored. Questions about storing personal data safely can be directed to the Head of your Programme or Head of Students Support and Relations.
When personal data is stored on paper, it is kept in dedicated secured premises with access limited only to authorised personnel.
Such personal data stored in paper is regularly reviewed and not kept longer then required. The paper carriers are destructed through shredding and disposed by a dedicated officer.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- personal data should be protected by strong passwords that are changed regularly and never shared between employees;
- personal data should be protected by encryption software;
- the personal data that is stored on removable media is kept locked away securely when not being used;
- personal data is be stored on designated drives and servers, approved secured cloud services;
- personal data is backed up frequently. Those backups are tested regularly, in line with the company’s standard backup procedures and deleted, when no longer relevant;
- all servers and computers containing data are protected by approved security software and a firewall;
HK will storage the personal data of individuals affiliated to the provided support services for a period of 3 years after the end of business relationship if otherwise is not indicated in official contract.
Subject access requests
All individuals who are the subject of personal data held by HK are entitled to:
ask what information the company holds about them and why;
- ask how to gain access to it;
- ask HK to stop processing his/her personal data;
- ask HK to delete or personal data of his/her;
- be informed how the HK protects and process he/her personal data;
- be further informed for his/her rights.
If an individual contacts the company requesting this information, this is called a subject access request.
Subject access requests from individuals should be made by email, addressed to the personal manager. The email may be sent directly to the personal manager or the Head of Student Support and Relations.
HK will aim to provide the relevant personal data within 14 days.
HK will always verify the identity of anyone making a subject access request before handing over any information.
HK aims to ensure that individuals are aware that their data is being processed, and that they understand how the person data is used and how the exercise their rights.
Disclosing data for other reasons
HK does not disclose personal data to anyone other than the parties explicit mentioned above.
In certain circumstances, HK may be required by the law and/or court order and/or warrant issued by authorities to disclose to law enforcement agencies personal data without the consent of the data subject.
Under these circumstances, HK will disclose requested data. However, the personal manager will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.
Everyone who works for and/or with HK has responsibility for ensuring data is collected, stored and handled appropriately.
Each team and or individual that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, such individuals have key areas of responsibility:
- The Attorney General and Academic Director are ultimately responsible for ensuring that HK meets its contractual obligations.
Any further queries should be sent to firstname.lastname@example.org with indication “Data Protection Request” in the subject field