Privacy Policy
General
We collect information to allow us to provide services effectively. You should expect that we will keep a record of your contact details and may collect information on paper, online forms, by telephone, email or by a member of staff in person. This information is important and we are responsible for the information we collect and use is done proportionately, correctly, safely and in accordance with current data protection legislation.
Toranj Tuition will update this policy annually to remain in accordance with data protection legislation. In terms of the relevant legislation that apply to our business and your personal data, Toranj Tuition adheres to the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018.
The Personal Information We Collect
We currently collect and process the following information:
- The name or network address of the computer making the request (N.B. under some circumstances it may be possible to infer from this the identity of the person making the request). Additionally, the data recorded may be that of a web proxy rather than that of the originating client.
- The username, when known, during authenticated access to the site.
- The date and time of connection.
- The HTTP request, which contains the identification of the document requested.
- The status code of the request (i.e., success or failure).
- The number of data bytes sent in response.
- The contents of the HTTP referrer header supplied by the browser.
- The content of the HTTP user-agent header supplied by the browser.
- Logging of additional data may be enabled temporarily from time to time for specific purposes. Additionally, the computers on which the website is hosted keep
record of attempts (authorised or unauthorised) to use them for purposes other than access to the web server. This data typically includes the date and time of the attempt, the service to which access was attempted, the name or network address of the computer making the connection. It may include details of what was done or attempted.
- Website user statistics. For our online referral form, we collect the following information:
- Personal identifiers, contacts and characteristics (e.g., name and contact details).
- Referral details (e.g., name of the referral, client availability and language requirements).
- Customer financial information.
How We Get Personal Information and Why We Have It
The personal information collected on this site and processed is provided by you for one of the following reasons:
- This site automatically logs information about requests for system administration, bug tracking and producing usage statistics. We do not store logged information for more than five years after the completion of a contract and/or usage of the site. Under UK Data Protection Act 2018, personal data cannot be stored for longer than its necessary use.
- In the event the system is misused, data may be processed by the team as part of an investigation. This data may be processed by administrators or other computer systems experts to enable investigation.
Additionally, data may be included in information passed to computer maintenance organisations working for Toranj Tuition. In this case, it will be protected by non-disclosure agreements (NDAs).
N.B. A log is a record of what the server sees, not necessarily what was sent. If a request is sent via proxy, the log file will show the proxy address. Conversely, if someone has forged your address, the log file will show your address. Personal information may also be collected on paper, online forms, by telephone, email or by a member of staff in person. No matter how personal information is collected, the subject will be asked to opt-in and consent to the storage and processing of their data.
Toranj Tuition uses personal information in order to:
- Provide our website and services. We process your personal data to perform our contract with you for the use of our websites and services and to fulfil our obligations under applicable terms of use/service; where we have not entered into a contract with you, we base the processing of your personal data on our legitimate interest to operate and administer our websites and to provide you with content you access and request (e.g., to download content from our websites).
- Maintain the security of our website and services. We process your personal data by verifying accounts and activity, investigating suspicious activity and enforcing our terms and policies, to the extent this is necessary for our legitimate interest in promoting the safety and security of the services, systems and applications and in protecting our rights and the rights of others.
- Providing necessary functionality. We process your personal data to perform our contract with you for the use of our websites and services. Where we have not entered into a contract with you, we base the processing of your personal data on our legitimate interest to provide you with the necessary functionality required during your use of our websites and services.
- Handling contact requests. If you fill out a “Contact us” web form or request user support, or if you contact us by other means including via a phone call, we process your personal data to perform our contract with you and to the extent it is necessary for our legitimate interest in fulfilling your requests and communicating with you.
- Managing payments. If you have provided financial information to us, we process your personal data to verify that information and to collect payments to the extent that doing so is necessary to complete a transaction and perform our contract with you.
- Registering office visitors. We process your personal data for security reasons, to register visitors to our offices and to manage non-disclosure agreements that visitors may be required to sign, to the extent such processing is necessary for our legitimate interest in protecting our offices and our confidential information against unauthorised access.
- Sending marketing communications. We will process your personal data to send you marketing information, product recommendations and other non-transactional communications (e.g., marketing newsletters, calls, or SMS) about us and our affiliates and partners, including information about our products, promotions or events as necessary for our legitimate interest in conducting direct marketing or to the extent you have provided your prior consent.
We will not share information about an individual to anyone without appropriate consent unless the law and our policies allow us to.
Additionally, we may share individual information, including photographs, (with the appropriate consents) on our website, in newsletters, and our annual report. This would not include special category data. This means personal data about an individual’s:
- Race;
- Ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data (where this is used for identification purposes);
- Health data;
- Sex life; or
- Sexual orientation.
Under the Data Protection Act 2018 and UK GDPR (2021), the lawful bases we rely on for processing this information are:
(a) Your consent. You can remove your consent at any time. You can do this by contacting info@toranjtuition.org. By accessing our services, you must give consent for the storage and processing of your personal data.
(b) We have a contractual obligation. Under the requirements of our charitable funders, we sometimes need to produce summary statistics from the data collected on our site. This summary will not include information from which individuals could be identified.
Sharing personal data
We will not share personal data with anyone else without consent, but there are certain circumstances where we may be required to do so. These include, but are not limited to, situations where:
- There is an issue with a pupil or parent/carer that puts the safety of our staff at risk
- We need to liaise with other agencies – we will seek consent as necessary before doing this
- Our suppliers or contractors need data to enable us to provide services to our staff and pupils – for example, MIS system or IT services. When doing this, we will:
- Establish a contract with the supplier or contractor to ensure the fair and lawful processing of any personal data we share
- Only share data that the supplier or contractor needs to carry out their service
- Only appoint suppliers or contractors which can provide sufficient guarantees that they comply with UK data protection law
We will also share personal data with law enforcement and government bodies where we are legally required to do so.
We may also share personal data with emergency services and local authorities to help them to respond to an emergency situation that affects any of our pupils or staff.
Where we transfer personal data internationally, we will do so in accordance with UK data protection law.
Photographs and videos
As part of our organization’s activities, we may take photographs and record images of individuals within our classes.
We will obtain written consent from parents/carers, or pupils aged 18 and over via the school for photographs and videos to be taken of pupils for communication, marketing and promotional materials. We will never approach a parent or student directly with this request.
Where we need consent, we will clearly explain how the photograph and/or video will be used to both the parent/carer and pupil.
Any photographs and videos taken by students/parents/carers/school staff at schools for their own personal use are not covered by data protection legislation. However, we will ask that photos or videos with other pupils are not shared publicly on social media for safeguarding reasons, unless all the relevant parents/carers (or pupils where appropriate) have agreed to this.
Consent can be refused or withdrawn at any time. If consent is withdrawn, we will delete the photograph or video and not distribute it further.
When using photographs and videos in this way we will not accompany them with any other personal information about the child, to ensure they cannot be identified.
Data Storage
Your personal data is securely stored in password-controlled servers with limited access. We may retain your personal data for a period of time consistent with the original purpose of collection as above. We determine the appropriate retention period for personal data on the basis of the amount, nature and sensitivity of personal data processed, the potential risk of harm from unauthorised use or disclosure of personal data and whether we can achieve the purposes of the processing through other means, as well as on the basis of applicable legal requirements (such as applicable statutes of limitation). Logged information will not be stored for more than five years. Toranj Tuition will then dispose your information by destroying physical copies by shredding and deleting files on our host site and logs. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of such data.
We take precautions, including organisational, technical and physical measures, to help safeguard against the accidental or unlawful destruction, loss, alteration and unauthorised disclosure of, or access to, the personal data we process or use.
Personal Data Breaches
The term ‘personal data breach’ refers to a breach of security which has led to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
The DPO will ensure that all staff members are made aware of, and understand, what constitutes a data breach as part of their training.
Where a breach is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority (Information Commissioner’s Office (ICO)) will be informed. All notifiable breaches will be reported within 72 hours of Toranj Tuition becoming aware of it.
The risk of the breach having a detrimental effect on the individual, and the need to notify the relevant supervisory authority, will be assessed on a case-by-case basis.
In the event that a breach is likely to result in a high risk to the rights and freedoms of an individual, Toranj Tuition will notify those concerned directly. A ‘high risk’ breach means that the threshold for notifying the individual is higher than that for notifying the relevant supervisory authority. In the event that a breach is sufficiently serious, the public will be notified without undue delay. Effective and robust breach detection, investigation and internal reporting procedures are in place at Toranj Tuition, which facilitate decision-making in relation to whether the relevant supervisory authority or the public need to be notified. Within a breach notification, the following information will be outlined:
- The nature of the personal data breach, including the categories and approximate number of individuals and records concerned.
- The name and contact details of the DPO.
- An explanation of the likely consequences of the personal data breach.
- A description of the proposed measures to be taken to deal with the personal data breach.
- Where appropriate, a description of the measures taken to mitigate any possible adverse effects
Failure to report a breach when required to do so may result in a fine, as well as a fine for the breach itself.
Your Data Protection Rights
Under the UK Data Protection Act 2018 and GDPR, you have the following rights:
- Access. You have the right to ask us for copies of your personal information.
- Rectification. You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Erasure. You have the right to ask us to erase your personal information in certain circumstances.
- Restriction of Processing. You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Object to Processing. You have the right to object to the processing of your personal information in certain circumstances.
- Data Portability. You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You also have the right to claim compensation for damages caused by a breach of the Data Protection regulations.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. If you wish to make a request, contact us at:
Toranj Tuition, 29 Beverly Road, Kingston upon Hull, U.K., HU3 1XH
(+44) 1482 328 143
(+44) 7886 944 018
info@toranjtuition.org
www.toranjtuition.org
How to Complain
If you have any concerns about our use of your personal information, you can make a complaint to the Data Protection Officer (DPO) Seyed Mani Sajedin:
mani@toranjtuition.org
07930 699 700
You can also complain to the ICO if you are unhappy with how we have used your data. The ICO’s address is:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Updates to This Privacy Policy
We are committed to updating this policy annually to reflect changes in our practices, technologies, legal requirements and other factors. If we do feel changes are necessary, we will update the “effective date” at the top of this policy. If we make a significant update, we may provide you with notice prior to the update taking effect, such as by posting a conspicuous notice on our website or by contacting you using the email address you provided. We encourage you to periodically review this policy to stay informed about our collection, processing and sharing of your personal data.