The GDPR sets out additional requirements of data processors and data controllers.
The Harmony Trust is both a data controller and a data processor.
2. Categories of data processed and their legal basis
The range of data controlled and/or processed is set out in table 1.
|Data Category||Controller||Processor||Legal Basis||Notes|
|Delegate Information||Harmony Trust||Yes||Processed By Consent||Course Registrations - to include broad personal details|
|Registration Records||Harmony Trust||Yes||Processed By Consent||Names, Addresses, Telephone Numbers, Email Addresses|
|Communication Preferences||Harmony Trust||Yes||Processed By Consent||Contact Details for Newsletters, Promos etc.|
The lawful basis for processing personal data are set out in in Article 6 of the General Data Protection Regulation (GDPR). At least one of these must apply whenever we process personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. This cannot apply if you are a public authority processing data to perform your official tasks. Public authorities will need to rely on official functions.
In all cases:
- For data for which The Harmony Trust is the controller, the legal bases are consent and, in some cases, legal obligation.
- Data processed for registrants is processed on the basis of consent.
Data Processor activities must be governed by a binding contract. The binding obligations on the Processor must cover:
- the duration,
- nature and purpose of the processing,
- the types of data to be processed and
- the obligations and rights of the Controller.
Personal Data can only be processed in compliance with documented instructions from the Controller, and the processor is required to assist the Controller in complying with their obligations.
The Data Processor has an obligation to tell the Controller if it believes an instruction to hand information to the Data Controller breaches the Data Protection Framework or any other law.
3. Data Risk Assessment
The data held includes personal data for employees and other staff engaged in the work of the Teaching Alliance.
Data loss could potentially include sensitive personal data (as defined by the Information Commissioners Office 2018).
The risk of loss is : low.
The potential impact is : moderate.
There is however a significant reputational risk to the Harmony Trust resulting from any data loss.
4. Controls and the transfer, storage and retention and deletion of data.
4.1 Data transfer
The transfer of sensitive personal data will be minimised, including by:
- Utilizing anonymized data where practical
- Utilizing suitably commercial software that allows secure remote access.
- Minimizing the downloading of data to that necessary to deliver the contract (see ‘legal basis’ above and ‘storage’ and ‘retention’ below
Where it is necessary to physically transfer data, this will only be undertaken in a secure manner and with an appropriate legal basis. The options for data transfer are:
- Encrypted media
- Secure file transfer software.
- Where it is necessary and appropriate to move information in hard copy The Harmony Trust will take all reasonable precautions to maintain security. Paper records will not be left unattended, for example.
4.2 Data storage
- All electronic personal data relating to employees or customers will be stored on encrypted media at all times.
- Data will be backed up to an external encrypted drive on a regular basis. The backup drive will be stored in a lockable and fire- resistant cabinet.
- The Harmony Trust will maintain current anti-virus and firewall software
Any paper records will be stored in secure storage in accordance with the agreed Retention Policy (December 2018).
4.3 Data retention / deletion
Client data will only be retained whilst necessary for the completion of a contract. This will include a period (typically 12 months) that data will be retained to allow any queries from the individual to be addressed quickly.
Employee data will be retained in line with the legal obligations on The Harmony Trust or (if for longer) with consent.
Identifiable personal data will be deleted as soon as possible on completion of the contract for the client, and typically after 12 months. Disposal of encrypted media at the end of its useful life will be done securely with drives completely wiped and destroyed by acid or other methods recognized as meeting the required standards.
Paper records with identifiable personal data will be confidentially shredded when no longer needed for delivery of the contract with the Controller (typically within one month of completing the specific data processing task and, unless specifically required by the contract, within one year).
5. Data Protection Officer (DPO)
A DPO must be appointed if an organisation is a public authority (except for courts), the core activities of the business require large scale, regular, systematic monitoring of individuals (e.g. online behaviour tracking) or the core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
The Data Protection Officer for the Harmony Trust is: Illuminate Learning Ltd (Colin Bellis)
6. Record of Processing Activities
As the Harmony Trust has more than 250 employees some data includes sensitive personal data. A Record of Processing Activities (RoPA) will therefore be maintained that will set out:
- Controllers we act for
- Any other Processors
- Data Protection Officer (DPO), if applicable
- The categories of processing carried out
- Details of any transfers to third countries
- A general description of technical and organisational security measures
The Harmony Trust will not subcontract data processing to any other party without the written permission of the relevant customer and with contractual arrangements in place that fully reflect GDPR requirements. In practice our current policy is not to sub-contract.
We will not transfer data to countries outside of the EU.
7. Policy in the event of a data breach
The Harmony Trust are required to notify their relevant controller of any breach without undue delay after becoming aware of it. This would normally mean on the same working day.
Controllers have 72 hours to notify the Information Commissioner’s Office from the point the breach is detected, therefore reporting from the Processor to the Controller is required well within this 72-hour time period
8. Subject Access Requests
As a data processor The Harmony Trust would pass any subject access request to the relevant data controller without undue delay (normally on the same working day).
Subject access requests for data for which we are the controller (i.e. from employees) will be processed in line with the relevant legislation and the current policies of the trust.
9. Teaching School Alliance Website
A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. But, this may prevent you from taking full advantage of the website.
Links to other websites
Our website contains links to other websites. These links are only to our trusted partners, government and other statutory agencies.
10. Sharing of Data
We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.
You may request details of personal information which we hold about you under the General Data Protection Regulation 2018. If you would like a copy of the information we hold on you please write to us.
If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible,
|Key Data Controller Details|
|Data Controller||Colin Bellis|
|Company Name||The Harmony Trust (Contracted to Illuminate Learning Ltd)|
|UK Registration Number||10963855|
|ICO Registration Number||A8292580|
|VAT Registration Number||GB284754073|
|Company Address||93 Lexton Drive, Southport, Merseyside, PR9 8QN|
Updated 19th December 2018