top of page

                                                                   Oaks International Education Ltd 

                                                                         Data Protection Policy

 

Contents

 

  1. Introduction and purpose

  2. Scope

  3. Definitions

  4. Roles and responsibilities

  5. Data protection principles

  6. Security of personal information

  7. Managing personal data breaches

  8. Responding to requests from individuals (‘rights of data subjects’)

  9. Document retention

  10. Data protection by design and default

  11. Data processors

  12. Record of processing activities

  13. Data protection impact assessments

  14. Appointment of a Data Protection Officer

  15. Policy review

 

  1. Introduction and purpose

 

This policy outlines our approach to handling personal information in accordance with the UK General Data Protection Regulation 2016 and the Data Protection Act 2018.

 

For the purposes of this policy, Oaks International Education Ltd is the data controller, and we are registered with the Information Commissioner’s Office (ICO) under registration number is ZB882060. The purpose of this Policy is to explain how we handle personal information under the relevant data protection laws, and to inform employees and other individuals who process personal information on our behalf, of our expectations in relation to this.

 

  1. Scope

 

This policy applies to the processing of personal information that is held by Oaks International Education Ltd  This includes personal information about employees, volunteers, parents, students, homestays, visitors, and any other individuals who engage with us.

 

This policy should be read in conjunction with the Oaks International Education Ltd Privacy Policy.

 

  1. Definitions

 

The following terms are used throughout this policy and it is important that you understand what they mean:

 

  1. Personal data: Any information relating to a person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

  2. Data subject: the identified or identifiable living individual to whom personal data relates

  3. Controller: A person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

  4. Processor: A person or organisation which processes personal data on behalf of the controller, and in accordance with their instructions. 

  5. Processing: This is anything that you do with data, including collecting, recording, storing, using, analysing, combining, disclosing, or deleting it.

  6. Special category data: This is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.  It also includes genetic data, biometric data, and data concerning a person’s health, their sex life, and sexual orientation.

 

  1. Roles and responsibilities

 

Oaks International Education Ltd is the data controller, and we are responsible for complying with the UK GDPR.

 

Director

 

Director has day-to-day responsibility for ensuring that this policy is implemented, adopted and adhered to by employees and all other individuals who process personal information on behalf of Oaks International Education Ltd.

 

Employees

 

All employees and any other individuals who process personal information on behalf Oaks International Education Ltd, are responsible for complying with this policy in its entirety.

 

Failure to comply with this policy may result in disciplinary action being taken, or the termination of an employment contract.

 

  1. Data protection principles

 

The UK GDPR sets out several key principles which govern how Oaks International Education Ltd handles personal information. Complying with these principles helps us to ensure that we comply with the law, and that our practices in relation to data protection are good.

 

The principles state that personal information must be:

 

  1. Processed in a way that is lawful, fair, and transparent (“lawfulness, fairness, and transparency)

  2. Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”)

  3. Adequate, relevant, and limited to what is necessary (“data minimisation”)

  4. Accurate, and where necessary, kept up to date (“accuracy”)

  5. Kept for no longer than is necessary (“storage limitation”)

  6. Processed in a way that ensures it is safe and secure, by means of appropriate technical and organisational measures (“integrity and confidentiality”)

 

The UK GDPR requires us to be able to evidence that we are complying with these principles.  This is called the “accountability principle”.

 

Lawfulness, fairness, and transparency

 

We only process personal information where there is a lawful basis for doing so.  The lawful bases are as follows:

 

  1. Where the data subject has given us their consent to the processing

  2. Where processing is necessary for the performance of a contract, or to enter into a contract, with the data subject

  3. Where processing is necessary to comply with a legal obligation that we are subject to

  4. Where processing is necessary to protect the vital interests of the data subject or another person

  5. Where processing is necessary for the performance of a task carried out in the public interest

  6. Where processing is necessary for the purposes of the legitimate interests pursued by Oaks International Education Ltd or by a third party, except where such rights are overridden by the interests or fundamental rights and freedoms of the data subject

 

We will only process special category data where a lawful basis has been identified from the list above, plus one from the following list:

 

  1. The data subject has given us their explicit consent

  2. The processing is necessary for the purposes of exercising or performing any right or obligation which is imposed on Oaks International Education Ltd in relation to employment, social security, and social protection law

  3. The processing is necessary to protect the vital interests of the data subject or another person, where the data subject is physically or legally incapable of giving consent

  4. The processing is necessary for the establishment, exercise, or defense of legal claims

  5. The processing is necessary for reasons of substantial public interest

  6. The processing is necessary for the assessment of the working capacity of an employee

 

The principle of fairness means that personal information should be used in a way that the data subject would reasonably expect.

 

The UK GDPR defines ‘consent’ as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

 

When we rely on consent as the basis for processing personal information, we will ensure that the data subject is able to withdraw their consent as easily as they gave it, and at any time.

 

We will always use the most appropriate basis for processing personal information.

 

The principle of transparency requires us to ensure that any information provided by us to data subjects about how their personal information will be processed, is concise, easily accessible, easy to understand, and written in plain language.

 

Purpose limitation

 

We will be clear from the very beginning as to why we are collecting personal information and what we intend to do with it.

 

We will only collect personal information for specified, explicit, and legitimate purposes, and we will not process information in any way that is incompatible with those purposes.

 

If things change, and we intend to use personal information for a different purpose, we will make sure that the new use is fair, lawful, and transparent.  We will always inform data subjects before we use their personal information for a new purpose, and where the lawful basis relied upon for the original purpose was consent, we will obtain such consent again.

 

Data minimisation

 

The personal information that Oaks International Education Ltd collect and processes will be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is to be processed.

 

Accuracy

 

The personal information that Oaks International Education Ltd collects and processes will be accurate and, where necessary, kept up to date, and will be corrected or deleted without delay when we are notified that the information is inaccurate.

 

All employees are required to update all relevant records if they become aware that any personal information is inaccurate.

 

Storage limitation

 

We do not keep personal information for longer than we need it.

 

We carefully consider how long we keep personal information for, and we justify our reasons for keeping it.  Most of our retention periods are determined by legal timescales.  For example, personal information relating to income tax contributions.

 

We have a retention schedule in place which details the types of personal information we hold, the reasons for holding it, and the retention period.  This schedule forms part of our Record of processing activities (please see Section 12).

 

We regularly review the data we hold and delete or securely destroy it when we no longer need it.

 

Integrity and confidentiality

 

We take our responsibilities under data protection laws very seriously and we will always ensure that we have appropriate security measures in place to protect the personal information we hold.

 

This means that we will have appropriate measures in place to protect personal information against unauthorised or unlawful processing, accidental loss, destruction, or damage.

 

Oaks International Education Ltd employees are responsible for ensuring the security of the personal information processed by them in the performance of their duties and tasks.

 

  1. Keeping personal information secure

 

We have appropriate technical and organisational measures in place to ensure that we process personal information securely, and to prevent personal information we hold being accidentally or deliberately compromised.

 

Technical measures

 

  1. We enforce strong password policies; passwords are changed at appropriate intervals and are not shared or used by others

  2. We ensure that laptops, USB/memory sticks and other portable devices containing personal information are encrypted

  3. We have a firewall, anti-virus, and anti-malware software in place

  4. We restrict access to systems, so personal information is only accessible to those people who need to use it as part of their work

  5. Personal information held electronically is backed up on each weekday, using AES 256 password strength encryption

  6. Paper documents containing personal information are securely destroyed using a shredder when they are no longer required Organisational measures.

  1. We provide data protection awareness training to all employees during their induction and annually thereafter

  2. We have appropriate policies and procedures in place to ensure our employees fully understand their responsibilities under data protection laws

  3. We ensure that our employees and any other individuals who process personal information on behalf of Oaks International Education Ltd, are aware of their individual responsibilities under data protection laws and how these apply to their areas of work

  4. We promptly investigate all suspected personal data breaches; we always make the appropriate external notifications (where applicable) and seek to learn any lessons from the incident to reduce the risk of reoccurrence.

  5. Paper documents containing personal information are securely locked away when not in use

  6. Paper documents containing personal information are securely destroyed using shredders when they are no longer needed

  7. Employees take every opportunity to ensure that the personal information we hold is accurate and kept up to date

  8. Employees do not disclose personal information to any unauthorised persons, both externally and within Oaks International Education Ltd.

 

We regularly test, assess, and evaluate the effectiveness of the measures we have put in place, and act on the results of those tests where they highlight areas for improvement.

 

  1. Managing personal data breaches

 

We have a procedure in place for managing and responding to personal data breaches.

 

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.  

 

Examples are personal data breaches include:

 

  1. Sending personal data to the wrong person

  2. Access to personal data by an unauthorised third party

  3. Devices or equipment containing personal data being lost or stolen

 

All suspected personal data breaches and security incidents must be reported without delay to Director. All personal data breaches will be investigated promptly and recorded on our internal data breach register.

 

The Director is responsible for deciding whether a personal data breach needs to be reported to the ICO and data subjects.

 

Notifying the ICO and other external authorities

 

Where a personal data breach is likely to result in a risk to the rights and freedoms of a data subject(s), we will notify the ICO within 72 hours of becoming aware of the breach.

 

We may be required to notify a personal data breach to other external authorities.  For example, we may be required to notify the Police or a funding authority. The Director is responsible for agreeing all external notifications.

 

Notifying data subjects

 

Where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject(s), Director will communicate the personal data breach to the data subject(s) without undue delay.

 

When informing the data subject(s) about the breach, we will provide in clear, plain language, the following information:

 

  1. Details about the nature of the breach

  2. The name and contact details of the organisational point of contact, who the data subject(s) can contact if they require further information

  3. The likely consequences of the breach

  4. Measures taken, or proposed to be taken, to address the breach including measures mitigate possible adverse effects

 

  1. Responding to requests from individuals (‘rights of data subjects’)

 

The UK GDPR provides data subjects with a number of rights in relation to their personal information.

 

These are:

 

  1. The right to request a copy of the personal information we hold about them

  2. The right to request that inaccurate or incomplete information about them is rectified

  3. The right to request that their personal information is deleted

  4. The right to request that the processing of their personal information is restricted

  5. The right to data portability

  6. The right to object to the processing of their information

  7. The right to complain to the ICO if they are not happy with how their personal information has been processed, or they feel their data protection rights have been infringed

 

We will endeavour to respond to all requests without delay, and in any event within one month of receiving a request. There may be circumstances when we need to extend the time limit for responding to a request. We will tell the individual who has made the request if this is the case and keep them informed.

Before responding to a request, we may need to ask for further information and/or proof of the individual’s identity.

There may be exceptions to the rights outlined above; each request we receive will be reviewed on a case-by-case basis.

  1. Document retention

We do not keep personal information for longer than we need it.

We carefully consider how long we keep personal information for, and we justify our reasons for keeping it.  Most of our retention periods are determined by legal timescales.  For example, personal information relating to income tax contributions.

We have a retention schedule in place which details the types of personal information we hold, the reasons for holding it, and the retention period.  This schedule forms part of our Record of processing activities (please see Section 12).

We regularly review the data we hold and delete or securely destroy it when we no longer need it.

  1. Data protection by design and default

 

We consider data protection and privacy issues upfront in everything we do.  We are required to do this under the UK GDPR.

 

We make sure that when we are designing and implementing a new organisational system, service, or practice, we consider the data protection issues before we begin.  We also make sure, by default, that we only process personal information where it is necessary to do so.

 

  1. Data processors

 

Whenever we use a third party to process personal information on our behalf, we will always undertake appropriate due diligence and ensure a data processing agreement is in place.

 

We only use processors that provide us with sufficient guarantees about their security measures.

 

  1. Record of processing activities

 

Oaks International Education Ltd maintains a record of its processing activities, as is required under Article 30 of the UK GDPR.  

 

ord is held in electronic format and contains the following information:

 

  1. Our organisation name and contact details

  2. A description of the personal information we process

  3. Categories of data subjects

  4. Purposes of the processing

  5. Recipients of the personal information

  6. The name of any countries or organisations outside the UK that we transfer personal information to, together with information about the safeguards in place

  7. Retention periods

  8. A general description of our technical and organisational security measures e.g. encryption, access controls, and training.

 

We regularly review the personal information we process and update this record accordingly.

 

This record will be made available to the ICO, if requested.

 

  1. Data Protection Impact Assessments (DPIAs)

 

A Data Protection Impact Assessment (DPIA) is a process that helps us to identify and minimise the data protection risks associated with a project, process, or activity involving the processing of personal information.

 

We are required to carry out a DPIA for any processing that is likely to result in a high risk to individuals.  We will also carry out a DPIA for any other major project which requires the processing of personal information, because it is good practice to do so.

 

The DPIA will:

  1. Describe the nature, scope, context, and purposes of processing

  2. Assess necessity, proportionality, and compliance measures

  3. Identify and assess risks to individuals

  4. Identify any additional measures to mitigate those risks

We will record the outcome of the DPIA and implement the measures identified.

  1. Appointment of a Data Protection Officer

 

Under Article 37 of the UK GDPR, controllers and processors are required to appoint a Data Protection Officer if:

 

  1. The processing is carried out by a public authority or body

  2. The core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of individuals on a large scale

  3. The core activities of the controller or processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences

 

The status of our organisation and the scope of our processing activities means that we are not required to appoint a Data Protection Officer.

 

We will keep this decision under review, should our processing activities change.

 

 

  1.  AEGIS

As part of the Gold Standard accreditation process, Oaks International Education Ltd is required to send the AEGIS office a copy of the contact details for all their homestays, partner schools and parents. They will also provide the names of the students. This data is held securely by AEGIS and is destroyed once the inspection process is finished.

 

  1. Policy review

 

This policy was last updated on 14.09.2025.

 

We will review this policy on an annual basis, or when there is a change to data protection laws or our organisational policies and procedures.

Oaks International Education Ltd   2025/2026 All Rights Reserved
bottom of page