Data Protection Policy
1. Key Definitions
1.1. In this Policy each of the words and expressions listed in the left-hand column below shall, unless inconsistent with the context, have the meaning given opposite it:
| “Director” | means the person holding the office of Director of Cedar from time to time including any person appointed as Acting Director of Cedar on a temporary basis. |
| “Information Commissioner” | means the person appointed as such pursuant to section 25 of the DPA |
| “Stakeholders” | includes staff, students (including applicants), parents, trustees, alumni, volunteers, and donors of Cedar International School, and any other person for whom Personal Data is collected. |
| “Personal Data” | means any information collected and stored by Cedar which “relates directly or indirectly to a stakeholder, who is identified or identifiable from that information, or from that and other information in the possession of a data user, including any sensitive Personal Data and expression of opinion about the stakeholder.” |
| “Photograph” | means any kind of still or moving image with or without sound or any audio recording, and whether stored/transmitted electronically or as hard copy. |
| “Processing” |
in relation to Personal Data, means collecting, recording, holding or storing the Personal Data or carrying out any operation or set of operations on the Personal Data, including the (a) organisation, adaptation or alteration of Personal Data; or otherwise making available; or (d) alignment, combination, correction, erasure or destruction of Personal Data; |
| “Sensitive Personal Data” | means any Personal Data about a data subject’s (a) physical or mental health; (b) sexual orientation; (c) political opinions; (d) religious beliefs or other beliefs of a similar nature; (e) criminal convictions, the commission or alleged commission, of any offence; or (f) any other Personal Data that the relevant BVI government Minister responsible for Information may by order prescribe. |
1.2. Capitalized terms such as “Head of School”, “Facilities Manager”, “Technology Coordinator”, and “Division Heads” refer to the persons employed or appointed by Cedar in such capacity including any person appointed to act in such capacity on a temporary basis.
1.3. The masculine gender shall include the feminine and neuter and the singular number shall include the plural and vice versa.
2. Background and Purpose
2.1. The British Virgin Islands’ Data Protection Act, 2021 (DPA) requires any person who processes Personal Data to comply with the provisions of the DPA and to abide by the privacy and data protection principles set out in the DPA.
2.2. Cedar International School (‘Cedar’, ‘us or ‘we’) are subject to the DPA because process Personal Data; that is to say, we collect, record, hold or store the Personal Data of our various Stakeholders as part of our operations.
2.3. We are therefore required to process that Personal Data in accordance with the DPA. The purpose of this policy is to set out Cedar’s practices of data collection, storage and sharing to ensure compliance with the DPA and ensure appropriate processing of all Personal Data pertaining to Stakeholders.
2.4. This Data Protection Policy applies to all Personal Data we Process regardless of the media on which that data is stored or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users, or any other Stakeholder.
2.5. This Data Protection Policy applies to all Cedar employees, management, and other personnel who are all required to read, understand, and comply with this Data Protection Policy when Processing Personal Data and who must attend training on its requirements. Data protection is the responsibility of everyone in Cedar and this Data Protection Policy sets out what we expect from you when handling Personal Data to enable Cedar to comply with applicable law. Your compliance with this Data Protection Policy is mandatory.
3. Principles
3.1. In accordance with the provisions laid out in the DPA, Cedar shall:
- a) Not process Personal Data about a person unless that person has given his or her express consent to the processing of the Personal Data.
- b) Process Sensitive Personal Data in accordance with section 20 of the DPA and Clause 4.5 below.
- c) Not transfer Personal Data outside the Virgin Islands unless there are adequate data protection safeguards in place or consent is provided by the Stakeholder.
- d) Process Personal Data for a lawful purpose only, to the extent necessary related to that purpose and shall not obtain more data than is necessary in relation to the purposes for which they are processed.
- e) Collect and process Personal Data in a transparent manner and shall Inform a stakeholder upon a request for Personal Data, of the purpose for which the data is being collected or processed, of their right to access and correct the Personal Data and of any third party to whom Cedar may disclose such data.
- f) Take practical steps to protect Personal Data from any loss, misuse, unauthorized or accidental access, disclosure, alteration, or destruction.
- g) Not retain Personal Data for longer than is necessary for the fulfilment of the purpose for which the data was collected.
- h) Take reasonable steps to ensure that Personal Data collected or processed is accurate and, where necessary, kept up-to-date.
- i) Give Stakeholders access to their Personal Data and permit them (unless prohibited by any other law) to correct that Personal Data where the Personal Data is inaccurate, incomplete, misleading, or not up-to-date.
4. Data Collection and Use
4.1. Cedar International School collects Personal Data only for legitimate educational and administrative purposes, such as enrolment, academic records, and communication. Data collected may include names, addresses, contact details, academic performance, and health information.
4.2. Personal data will be used to fulfill educational and operational requirements, maintain records, provide necessary services, and ensure the well-being of students and staff.
4.3. Personal Data cannot be processed further in any manner incompatible with the explicit purpose for which it was collected. Cedar will not use Personal Data for any new, different, or incompatible purposes from that disclosed when it was first obtained, unless we have informed the stakeholder of the new purpose and they have consented.
4.4. Cedar will not collect more information than is necessary for the purposes for which the Personal Data was collected.
4.5. Cedar shall not process Sensitive Personal Data unless:
(a) The Stakeholder has given explicit consent to the processing of the Personal Data;
(b) The processing is necessary –
-
- for Cedar to exercise any right or fulfil any obligation granted or imposed by law
- to protect the vital interests of the Stakeholder;
- for medical purposes where the processing is undertaken by a health care professional or similar or equivalent person;
- in connection with any legal proceedings or for the purpose of obtaining legal advice;
- for the administration of justice; or
- for any other purpose as may be provided in the DPA or other relevant legislation applicable in the British Virgin Islands.
(c) the information contained in the Personal Data has been made public because of steps deliberately taken by the Stakeholder.
5. Rights of Stakeholders
DATA PROTECTION POLICY u2023 FORM5.1. The Right to be Informed
5.1.1. Each Stakeholder is entitled on making a written request to Cedar to the following information:
a) Confirmation as to whether their Personal Data is being processed by Cedar.
b) A description of the Stakeholder’s Personal Data which is or will be processed.
c) The purposes for which the Personal Data is being or will be processed.
d) The recipients or classes of recipients to whom Personal Data is or may be disclosed.
e) Information available to Cedar as to the source of the Personal Data.
5.1.2. Cedar must inform each Stakeholder that has sent a request for information under Clause 5.1.1 above whether access will be given to all or part of the Personal Data. Cedar must inform, the Stakeholder within 30 days of receiving the Stakeholder’s request for information.
5.2. The right of Access to Personal Data
5.2.1. Cedar will verify the identity of the person making the request before any information is supplied under clause 5 above.
5.2.2. A copy of the information will be supplied to the Stakeholder free of charge; however, Cedar may impose a reasonable administrative fee to comply with requests for further copies of the same information.
5.2.3. Where a request is manifestly unfounded, excessive, or repetitive, a reasonable fee will be charged.
5.2.4. All fees will be based on the administrative cost of providing the information.
5.2.5. Subject to clause 6.6 below, all requests will be responded to within a reasonable period of time, usually, within one month of receipt.
5.2.6. Cedar, through its Director, may extend the period of compliance:
(a) for a further period of up to 30 days if meeting the original time would, in the Director’s sole discretion, unreasonably interfere with Cedar’s operations, or if consultations necessary to comply with the request cannot be completed within the original time limit; or
(b) by such additional period of time as may be necessary to convert the Personal Data into an alternative format, if applicable.
5.2.7. The DPA permits Cedar to refuse a request to give access to Personal Data in certain circumstances. If Cedar refuses a request, its Director shall inform the person making the request in writing specifying the provision of the DPA on which the refusal is based.
5.3. The Right to Rectification
5.3.1. Stakeholders are entitled to have any incomplete, incorrect, misleading, or excessive Personal Data rectified.
5.3.2. Where the Personal Data in question has been disclosed to third parties, Cedar will inform them of the rectification where possible.
5.3.3. Where appropriate, Cedar will inform the Stakeholder about the third parties to whom their Personal Data has been disclosed.
5.3.4. Cedar will respond to requests for rectification promptly and usually within one month of receiving the request for rectification and amend or rectify its records accordingly;
5.3.5. Where no action is being taken in response to a request for rectification, Cedar will notify the Stakeholder of its decision not to rectify or amend the Personal Data
5.3.6. A Stakeholder that disagrees with Cedar’s decision not to rectify or amend their Personal Data may lodge a written complaint with the Information Commissioner.
5.4. The Right to Delete
5.4.1. Stakeholders have the right to request the deletion or removal of Personal Data where there is no compelling reason for its continued processing.
5.4.2. Stakeholders have the right to have their Personal Data deleted in the following circumstances:
a) Where the Personal Data is no longer necessary in relation to the purpose for which it was
originally collected/processed
b) When the data subject withdraws their consent;
c) When the data subject objects to the processing and there is no overriding legitimate interest for continuing the processing;
d) The Personal Data was unlawfully processed;
e) The Personal Data is required to be erased in order to comply with a legal obligation; or
f) For any other reason as may be permitted under the DPA.
5.4.3. Cedar may refuse to comply with a request to delete Personal Data:
a) To comply with a legal obligation
b) Where deletion of the Personal Data is contrary to public interest, or the interests of justice
c) For archiving purposes in the public interest, scientific research, historical research or statistical purposes;
d) Processed only for journalistic, literary or artistic purposes where the journalistic, literary or artistic material is to be published and Cedar believes such publication would be in the public interest and consistent with the public interest in freedom of expression; or
e) Any other reason permitted by the DPA or other legislation, rules or guidance applicable to Cedar
5.5. The Right to Prevent Processing for Direct Marketing
5.5.1. A Stakeholder has the right at any time, by notice in writing to Cedar to require us to stop processing any Personal Data for the purpose of direct marketing.
5.5.2. Cedar shall comply with any such notice within 3 days of receipt of the notice
5.5.3. For the purposes of this Clause 5.5, “direct marketing” means the communication, by whatever means, of any advertising or marketing material which is directed to particular individuals.
6. Data Storage and Security
6.1. Personal data will be stored securely using appropriate technical and organizational measures to prevent unauthorized access, loss, or misuse.
6.2. Access to Personal Data will be restricted to authorized personnel with a legitimate need to access such information.
6.3. Cedar will take reasonable steps to permit Personal Data to be moved, copied or transferred from one IT environment to another.
6.4. Cedar will take steps to facilitate the transfer of Personal Data within a reasonable time (usually within 30 days) of receiving a written request from a Stakeholder.
7. Consent and Access
7.1. Individuals must be asked to provide consent for the collection and use of their Personal Data.
7.2. Consent must be indicated with a positive action and will not be inferred from silence, inactivity, or pre-ticked boxes.
7.3. Consent will only be accepted where it is freely given, specific and informed. There should be a clear indication of the Stakeholder’s wishes.
7.4. Where consent is given, a record will be kept documenting how and when consent was given and for what purpose.
7.5. Cedar will ensure that consent mechanisms meet the requirements of the EU General Data Protection Regulation, where applicable. Where the requirements of consent cannot be met, an alternative legal basis for processing the Personal Data must be found, or the processing may not be done.
7.6. The consent of parents will be sought prior to the processing of a student’s Personal Data, except where the processing is related to preventative or counselling services offered directly to a student.
8. Data Sharing
8.1. Cedar International School may share Personal Data with third parties only when necessary for educational or administrative purposes, such as sharing academic records with universities or (in accordance with Clause 4.5 above) providing health information to medical professionals.
8.2. Data sharing will be done in compliance with contractual agreements but subject to the provisions of the DPA and this Policy.
9. Photographs
9.1. This section applies to the use of photographs in school publications, whether printed or digital, and in press releases submitted to media outlets.
9.2. Parental Consent for Photo Use
9.2.1. Parents will complete a form upon their child’s initial enrolment to Cedar and again at the start of each academic year providing or declining consent to have their child’s photograph used for school publications and press releases.
9.2.2. A ‘no photograph’ list, providing the names of all students whose parents have declined consent in 9.2.1 above , shall be maintained by the Front Office Manager and available to relevant, authorized staff in the school’s shared Google drive.
9.2.3. Parents may at any time withdraw their consent/non-consent for the use of their child’s photograph for school publications by notifying the Front Office Manager in writing.
9.2.4. In the case of crowd photos or large group shots (e.g. team photos), it is not necessary to have parental permission for every student in the crowd or every student who may appear in the background of the photo before publishing the image, so long as those students are not identified.
9.3. Guidelines for Taking Photos
9.3.1. Staff are permitted to take photographs of students not on the ‘no photograph’ list to support educational aims, e.g., for classroom displays or student projects. Any such photographs should be appropriate in nature, meaning the dress and activities are appropriate for a school setting or activity.
9.3.2. Students must not take, use, share or publish photographs of others without consent.
9.3.3. Parents are not required to comply with the Data Protection Policy when taking photographs of their children, for their own private use, at a school event.
9.3.4. Students will be identified by name and grade in the yearbook, but cannot be identified as such in other publications unless the name and grade are relevant for the nature of the press release or social media post (e.g. a post or article about an individual achievement) and permission has been granted by the parent to publish such details.
9.3.5. If at any point a parent or child wishes to have a photograph of their child (in the case of a parent) or of themselves (in the case of a child) removed from a school publication, they may communicate their desire to the Front Office Manager or to an appropriate school administrator.
10. Security Cameras
10.1. Cameras are only placed where they do not intrude on anyone’s privacy and are necessary to fulfill their purpose.
10.2. Security footage is only stored until it is overwritten by new footage, with the exception that specific footage related to any incident requiring investigation may be saved strictly for purposes of review and accountability by relevant, authorized personnel.
10.3. Only persons appointed the Head of School, Facilities Manager, Technology Coordinator, and Division Heads have access to footage for review.
11. Data Retention
11.1. Personal data will be retained only for as long as necessary for the purpose for which it was collected and in accordance with applicable legal requirements.
11.2. Data that is outdated or no longer necessary to be retained by Cedar will be securely disposed of using appropriate methods.
12. Data Breach Response:
12.1. In the event of a data breach, Cedar will take immediate action to assess and mitigate the breach’s impact. Affected individuals and relevant authorities will be notified as required by law.
13. Data Protection Officer
13.1. Cedar will designate a Data Protection Officer (DPO) responsible for overseeing data protection activities, addressing inquiries, and ensuring compliance with data protection laws.
13.2. The initial DPO will be the Human Resources Officer. Cedar will notify Stakeholders of any change in the appointment of the DPO.
14. Awareness
14.1. Cedar will post this policy publicly on its website and in other places where policies appear.
14.2. The policy shall be annually communicated to staff and relevant stakeholders so they are aware of data protection principles, practices and their responsibilities in handling Personal Data.
15. Policy Review
15.1. This policy will be reviewed as needed, but at least every three years, to ensure its effectiveness and compliance with any changes in data protection laws or school operations.
Download the full policy document here
Download the Personal Data Consent Form here.
Issued / revised by Cedar Board of Trustees Oct 2023