Data collection policy

Data collection policy

• Start off with the assumption that we will not need personal data, and that anonymous, aggregated data will suffice. The collection of personal data must have a specific, tangible, measurable business purpose.

• Whenever possible, offload the collection of personal data to a third party such that the Company do not have access to this data. For example, prefer third party advertising & analytics systems where the third-party system firewalls the Company from any personal data that the system collects.

• In other words, prefer systems where the Company is not a data controller.

• The DPO must approve every data collection campaign, including final copy & information that will be collected, the terms presented to the data subject, etc. This rule holds whether you believe the campaign will be collecting personal data or not. (What is considered by law to be personal data is not strictly defined, but is often quite subtle and/or surprising.)

• Each piece of personal data is subject to a lawful basis for processing (processing includes collection):

  • We default to collection by consent, which means the data subject must be opted out of this collection by default.

  • Legitimate interest should only be applied to core business activities; e.g., account information and students' programs.

  • Contract basis should only be used for paying (or prospective) customers, and only for personal data relevant to their payment information, customer support, etc.

  • Legal obligation should only be used for collection where the law requires it; e.g., payroll data for reporting to HMRC.

• No other form of lawful basis for processing applies to the data we collect.

• The DPO will be the final arbiter of what is being collected by consent, legitimate interest, contract basis, and legal obligation.

• Do not collect any more information than is necessary for the stated purpose (data minimization).

• Delete any data that you no longer need. Note that all data must be deleted prior to the expiration of its retention period, regardless of need.

• By law, the data subject must be presented with at least the following information when their personal data is collected:

  • the data retention period;
  • the business need that the data satisfies;
  • whether the data is being collected by consent, legitimate interest, contract basis, or legal obligation.
  • how the data will be used;
  • whatever data protection and other relevant policies were in effect at the time of the collection;
  • the contact details to be used by the data subject in reference to the data being collected.

• Depending on the context and the nature of the data being collected, the DPO may require additional information to be presented to the data subject, beyond what is required by law.

• Whatever information was presented to the data subject at the time their data was collected must also be preserved, without modification, along with the data and the date on which the data was collected.

• Personal data that we collect is subject to audit by the DPO, or by a member of staff appointed by the DPO, at any time.

• The DPO must approve every system (third party or otherwise) that we use to collect personal data. All approvals will be subject to regular review. See the data processing policy for more details.

• Do not use data that was collected for one purpose for any other purpose, unless authorized in advance by the DPO (purpose limitation). If you wish to do this, you must:

  1. contact the DPO to make your business case for the re-purposing;
  2. receive express written consent from the DPO for the re-purposing;
  3. contact each individual whose data you wish to re-purpose, explain the reasons why you want to re-purpose their data, and explain precisely how you would like to re-purpose their data; and finally
  4. receive explicit consent from each individual before re-purposing their data.

• Whenever technically possible, use a one-way cryptographic hash to obscure the personal data that is being collected, including a random salt. For example, when recording IP addresses in server logs, run a one-way hash on the IP address so that the addresses are not stored in plaintext. This practice reduces the impact of a data breach.

• When necessary and reasonable, data we collect should be kept up to date (right to rectification, accuracy principle).

• For data minimization reasons, you should delete any previous data that has been updated; e.g., if you update a customer's email address, do not keep the previous email address. If you feel there is a business need to retain the previous information in addition to the updated information, contact the DPO.

• We do not engage in any automated decision making or profiling that would be subject to Article 22 of the UK GDPR.

• We do not collect or process special category data. If you believe we are collecting, processing, storing, or otherwise exposed to any special category data, inform the DPO immediately.

• We will not purchase personal data from third parties, nor otherwise accept personal data from third parties. If you believe we are accepting personal data from a third party, inform the DPO immediately.

References

• UK ICO: lawful basis for processing
• UK ICO: consent
• UK ICO: contract basis
• UK ICO: legal obligation
• UK ICO: legitimate interests
• UK ICO: data minimization principle
• UK ICO: purpose limitation principle
• UK ICO: rights related to automated decision making including profiling
• UK ICO: special category data
• UK ICO: right to rectification
• UK ICO: accuracy principle
• European Data Protection Board Guidelines 05/2020 on consent under Regulation 2016/679 Version 1.1