1. INTRODUCTION
1.1 STRATHMORE SCHOOL collects and uses personal information about staff, students, parents or guardians and other individuals who come into contact with the school. This information is gathered in order to enable it to provide education and other associated functions. In addition, there may be a legal requirement to collect and use information to ensure that the school complies with its statutory obligations.
2. PURPOSE
This policy is intended to ensure that personal information is dealt with correctly and securely and in accordance with the Data Protection Act, 2019, the Regulations made under the Act and other related legislation. It will apply to information regardless of the way it is collected, used, recorded, stored and destroyed, and irrespective of whether it is held in paper files or electronically. All staff involved with the collection, processing and disclosure of personal data will be aware of their duties and responsibilities by adhering to these guidelines.
3. COLLECTING AND USING YOUR PERSONAL DATA
3.1. Strathmore School may ask you as parents or guardians to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information collected from parents or guardians may include, but is not limited to:
– names;
– names of spouses;
– names of children;
– religion;
– profession;
– place of work;
– Physical Home address;
– telephone numbers;
– post office addresses;
– email addresses;
– identification card numbers;
– photographs and audiovisual recordings taken during school events
3.2. In the course of your son’s stay at the school, the school will collect personal information and also generate and process data specific to your son. This information includes and is not limited to the following: – names;
– date of Birth;
– religion;
– birth certificates;
– academic certificates such as KCPE certificates;
– medical history such as allergies;
– hobbies;
– passport-size photographs
– academic performance;
– discipline profile;
– learners’ photographs
3.3 Use of personal data by Strathmore School
3.3.1. Strathmore School processes personal data on learners, staff and other individuals such as visitors. In each case, the personal data is processed in accordance with the data protection principles as outlined below.
3.3.2. The personal data held regarding learners includes contact details, assessment/examination results, attendance information, characteristics such as religion, any relevant medical information, photographs and audio-visual recordings.
3.3.3. The data is used in order to support the education of the learners, to monitor and report on their progress, to provide appropriate pastoral care, to assess how well the school as a whole is doing, together with any other uses normally associated with this provision in a school environment.
3.3.4. Strathmore School may make use of limited personal data (such as contact details) relating to learners, and their parents or guardians for fundraising, marketing or promotional purposes, to maintain relationships with learners of Strathmore School, and to provide alumni-related services to former learners such as communicating opportunities and celebrating alumni achievements, but only where consent has been provided for these uses of their personal data.
3.3.5. In particular, Strathmore School may:
3.3.5.1. transfer information to any association, society or club set up for the purpose of maintaining contact with learners or for fundraising, marketing or promotional purposes relating to the school but only where consent from the relevant data subject has been obtained first;
3.3.5.2. make personal data, including sensitive personal data, available to staff for planning curricular or extra-curricular activities;
3.3.5.3. Any wish to limit, object to any use of personal data or to exercise any of the data subject rights detailed in Section 5 of this Policy should be addressed to the school Data Protection Officer in writing, which notice will be acknowledged in writing. If, in the view of the school Data Protection Officer, the objection or attempt to exercise the data subject’s rights cannot be maintained, the individual will be given written reasons why the school cannot comply with their request.
3.4. Personal data shall be retained for a period no longer than is necessary for the purposes for which it is obtained and processed. Data retention will be done in line with legal requirements and Strathmore School’s operational needs. Where personal data has satisfied the purpose for which it was obtained and processed, Strathmore School may still retain the data if the retention is required or authorized by law, where the retention is reasonably necessary for a lawful purpose, where the retention is consented to by the data subject, or where the retention is necessary for historical, statistical, journalistic literature and art or research purposes.
4. DATA PROTECTION PRINCIPLES
4.1. Strathmore School will ensure that the following principles governing data protection are adhered to at all times. That personal data is:
4.1.1. processed in accordance with the right to privacy;
4.1.2. processed lawfully, fairly and in a transparent manner;
4.1.3. collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
4.1.4. adequate, relevant and limited to what is necessary;
4.1.5. collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
4.1.5. accurate and where necessary, kept up to date with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
4.1.6. kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
4.1.7. not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
5. DATA SUBJECT RIGHTS
5.1. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act, 2019 and all the Regulations made under the Data Protection Act 2019.
5.2. Data subjects from whom Strathmore School collects personal data shall have the right:
5.2.1. to be informed of the use to which their personal data is to be put;
5.2.2. to access their personal data;
5.1.3. to object to the processing of all or part of their personal data;
5.1.4. to correct false or misleading data;
5.1.5. to deletion of false or misleading data about them.
5.3. The above rights shall be subject to the requirements and limitations set out in the Data Protection Act 2019 and the Regulations made under the Data Protection Act 2019.
5.4. The rights of a learner who is a minor shall be exercised by their parent/guardian. Where the learner is not a minor, their rights shall be exercised by the person duly authorized by the learner to exercise these rights.
6. GENERAL STATEMENT
6.1. Strathmore School is committed to maintaining the above principles at all times. Strathmore School will strive to ensure:
6.1.1. That individuals are informed why the information is being collected when it is collected;
6.1.2. That individuals are informed when their information is shared, and why and with whom it was shared;
6.1.3. That the quality and accuracy of the information collected is of the highest standards;
6.1.4. That when obsolete information is destroyed that it is done so appropriately and securely;
6.1.5. That clear and strong safeguards are in place to protect personal information from loss, theft and unauthorized disclosure;
6.1.6. That information with others is only shared when it is legally and professionally appropriate to do so;
6.1.7. That all members of Strathmore School staff are aware of, and understand, policies and procedures related to Data protection.
6.2. While Strathmore School will be taking reasonable steps to ensure that personal data is relevant to its intended use, accurate, complete and current, they will rely on their data subjects to assist in providing accurate updates of their personal data.
7. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES
7.1. The following list includes the most usual reasons that Strathmore School will authorise disclosure of personal data to a third party:
7.1.1 to give a confidential reference relating to a current or former employee, volunteer or learner;
7.1.2. for the prevention or detection of crime;
7.1.3. where it is necessary to exercise a right or obligation conferred or imposed by law upon Strathmore School (other than an obligation imposed by contract);
7.1.4. for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings);
7.1.5. for the purpose of obtaining legal advice;
7.1.6. for research, historical and statistical purposes (so long as this neither supports decisions in relation to individuals, nor causes substantial damage or distress);
7.1.7. to publish the results of public examinations or other achievements of learners of the School;
7.1.8. to disclose details of a learner’s medical condition where it is in the learner’s interests to do so and there is a legal basis for doing so, for example for medical advice, insurance purposes or to organisers of school trips. The legal basis will vary in each case but will usually be based on explicit consent, the vital interests of the child or reasons of substantial public interest (usually safeguarding the child or other individuals);
7.1.9. to provide information to another educational establishment to which a learner is transferring; and
7.1.10. to provide information to the Examination Authority as part of the examination process;
7.2. Strathmore School may receive requests from third parties to disclose personal data it holds about learners, their parents or guardians, staff or other individuals. This information will not generally be disclosed unless one of the specific exemptions under data protection legislation which allow disclosure applies or where necessary for the legitimate interests of the individual concerned.
7.3. All requests for the disclosure of personal data must be sent to the Principal, Strathmore School, who will review and decide whether to make the disclosure, ensuring that reasonable steps are taken to verify the identity of that third party before making any disclosure.
9. DATA PROTECTION IMPACT ASSESSMENT
9.1. Strathmore School will strive to perform an annual Data Protection Impact Assessment which will include:
9.1.1. A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by Strathmore School;
9.1.2. An assessment of the necessity and proportionality of Strathmore School’s data processing operations in relation to the purposes of the processing;
9.1.3. An assessment of the risks to the rights and freedoms of the data subjects governed by this Policy; and
9.1.4. The measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Data Protection Act, taking into account the rights, and legitimate interests of data subjects.
9.2. Strathmore School will also conduct Data Protection Impact Assessment on a case-to-case basis where the processing of personal data is likely to result in a high risk to the rights and freedoms of data subjects.
10. INCIDENCE RESPONSE
10.1. Where there is a data breach caused by the accidental or unlawful destruction,loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, Strathmore School will implement immediate incident response mechanisms to prevent any such actions.
10.2. Strathmore School’s incident response will be done in the following four steps:
10.2.1. Step 1: Report and notify the data subject of sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach;
10.2.2. Step 2: Detection of breach and analysis;
10.2.3. Step 3: Containment, eradication and recovery;
10.2.4. Step 4: Post incident investigation and report
10.3. To mitigate or address any such incidents, Strathmore school will notify and work with the Office of the Data Protection Commissioner to take any actions required of Strathmore School under the Data Protection Act 2019 and the Regulations made under the Data Protection Act 2019.
10.4. Any suspected or actual data breaches may be reported to Strathmore School as a complaint in accordance with Section 11 of this Policy.
11. ENQUIRIES AND COMPLAINTS
General enquiries relating to data handling should be addressed to:
dataprotection@strathmore.ac.ke
Complaints may be referred to the principal using the email address:
principal@strathmore.ac.ke