Children's LoveCastles Trust
Access To Quality Education For All
Data Protection Policy
DEFINITIONS
Organisation: means ChildrensLoveCastles Trust (CLT India), a registered Trust
GDPR: means the General Data Protection Regulation.
Register of Systems: means a register of all systems or contexts in which personal data is processed by the Organisation.
1. DATA PROTECTION PRINCIPLES
CLT India (Regd. as ChildrensLoveCastles Trust) is committed to processing data in accordance with its responsibilities under the General Data Protection Regulation.
Article 5 of the GDPR requires that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
2. GENERAL PROVISIONS
- This policy applies to all personal data processed by CLT India.
- The Responsible Person shall take responsibility for CLT India’s ongoing compliance with
this policy. - This policy shall be reviewed at least annually.
3. RATIONALE
CLT India needs to process certain information about its staff, volunteers, NGO partners, students and schools, donors, and other individuals with whom it has a relationship for various purposes such as, but not limited to:
1. The recruitment and payment of staff.
2. The administration of programs of study and courses.
3. School/class enrolment.
4. Examinations and assessment.
5. Recording student progress, attendance and conduct.
6. Complying with obligations to funding bodies and government
To comply with various legal obligations, including the obligations imposed on it by the General Data Protection Regulation (GDPR) CLT India must ensure that all this information about individuals /organisations is collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully.
4. COMPLIANCE
This policy applies to all staff of CLT India. Any breach of this policy or of the Regulation itself will be considered an offence and the organisation’s disciplinary procedures will be invoked. As a matter of best practice, other agencies and individuals working with organisation and who have access to personal information will be expected to read and comply with this policy. It is expected that departments who are responsible for dealing with external bodies will take the responsibility for ensuring that such bodies sign a contract which among other things will include an agreement to abide by this policy.
5. RESPONSIBILITIES UNDER THE GDPR
The ‘top/senior management’ is responsible for all day-to-day data protection matters and will be responsible for ensuring that all members of staff and relevant individuals abide by this policy, and for developing and encouraging good information handling within the organization. Compliance with the legislation is the personal responsibility of all members of the organization who process personal information. Individuals who provide personal data to the Organisation are responsible for ensuring that the information is accurate and up to date.
6. LAWFUL, FAIR AND TRANSPARENT PROCESSING
- To ensure its processing of data is lawful, fair and transparent, CLT India shall maintain a Register of Systems.
- The Register of Systems shall be reviewed at least annually.
- Individuals have the right to access their personal data and any such requests made to CLT India shall be dealt with in a timely manner.
7. LAWFUL PURPOSES
- All data processed by the Organisation must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.
- The Organisation shall note the appropriate lawful basis in the Register of Systems.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be available and systems should be in place to
ensure such revocation is reflected accurately in CLT India’s systems.
8. DATA MINIMISATION
CLT India shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
9. ACCURACY
- CLT India shall take reasonable steps to ensure personal data is accurate.
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
10. ARCHIVING / REMOVAL
- To ensure that personal data is kept for no longer than necessary, CLT India shall put in place an archiving policy for each area in which personal data is processed and review this process
annually. - The archiving policy shall consider what data should/must be retained, for how long, and why.
11. SECURITY
- CLT India shall ensure that personal data is stored securely using modern software that is kept up to date.
- Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
- When personal data is deleted, this should be done safely such that the data is irrecoverable.
- Appropriate backup and disaster recovery solutions shall be in place.
12. BREACH
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, CLT India shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Information Commissioner’s Office.
Register of Systems Stakeholders:
- CLT India /staff /Volunteers /NGO partners /Donors /Schools /Students /Contractors
- It is our policy and commitment that we minimize data collection and processing, restricting the same to ‘essential’.
- Data are shared essentially for the regular functioning, for example about students with the volunteer teachers and/or about the
volunteers with the coordinators in the school site. Personal data are not otherwise collected or shared. - Data except those of employees are collected and stored digitally. The storage in a server is augmented with a disaster recovery plan by
the storage provider and a privacy agreement is in place. - Accounting services are outsourced for the Trust. We have a data protection and confidentiality commitment from them.
- Data is shared internally only as required and except for compliance purposes there is minimal processing done. Access to data is
limited to those who need it for operational purposes. - Any exception to this policy based on situational requirements is authorized by top management officers.
