Data Protection Policy

1. Aims

As an online provider of International Baccalaureate (IB) courses accessible from around the world, Pamoja Education Ltd. (“Pamoja” or “PMJ”) is committed to ensuring that the protection of sensitive data and information of its Students, partner Schools and team members is at the heart of what we do. Pamoja aims to provide a high quality, safe learning experience and is committed to responding appropriately to any concerns of data and privacy breaches.

Pamoja aims to ensure that all personal data collected about its team members, Students, partner Schools and other individuals is collected, stored, and processed in accordance with the UK General Data Protection Regulation (UK GDPR) and the provisions of the Data Protection Act 2018 (DPA 2018).

This policy applies to all personal data, regardless of whether it is in paper or electronic format, has the full support of our management team and is communicated to provide a clear understanding of company expectations of team members and associates.

We will review this policy at least annually through our formal Management Review process.

3. Definitions

5. Roles and Responsibilities

This policy applies to all team members, contractors, and any external organisations or individuals who process personal data on behalf of Pamoja. Everyone covered by this policy is expected to:

• Follow the requirements set out in this policy and in related data protection procedures.
• Complete mandatory data protection training and keep their knowledge up to date.
• Report any personal data breaches or concerns promptly to the Data Compliance Officer (DCO).

Failure to comply with this policy may lead to disciplinary action for staff and, where relevant, may affect the continuation of a contract or engagement for external partners.

5.1 Senior Leadership Team

The Senior Leadership Team has overall responsibility for ensuring that Pamoja complies with all relevant data protection obligations. 

5.2 Data Protection Officer

The Data Protection Officer (DPO) is responsible for overseeing the implementation of this policy, monitoring our compliance with data protection law, and helping to develop related policies and guidelines where applicable.

The DPO reports to the Senior Leadership Team with their advice and recommendations on data protection issues. The DPO is also the first point of contact for the Information Commissioner’s Office (ICO). Our DPO is SchoolPro TLC and can be contacted at dpo@schoolpro.uk

5.3 Data Compliance Officer

The DCO supports the DPO in ensuring day-to-day compliance and acts as the first point of contact for individuals (data subjects) and team members. Should they wish to do so, data subjects and team members can directly communicate with the DPO. Our DCO can be contacted via data.protection@pamojaeducation.com

5.4 All Team Members

Pamoja team members (staff and contractors) are responsible for:

• Collecting, storing, and processing any personal data in accordance with this policy.
• Informing Pamoja of any changes to their personal data, such as a change of address.
• Completing mandatory data protection training and following related internal procedures.
• Contacting the DCO in the following circumstances:
  • With any questions about the operation of this policy, data protection law, retaining personal data or keeping personal data secure.
  • If they have any concerns that this policy is not being followed.
  • If they are unsure whether they have a lawful basis to use personal data in a particular way.
  • If they need to rely on or capture consent, draft a privacy notice, deal with data protection rights invoked by an individual, or transfer personal data outside the UK and the European Economic Area (EEA).
  • If there has been a personal data breach.
  • Whenever they are engaging in a new activity that may affect the privacy rights of individuals.
  • If they need help with any contracts or sharing personal data with third parties.

7. Collecting Personal Data

7.1 Lawfulness, Fairness and Transparency

We only process personal data when we have a lawful basis under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Depending on the situation, we may rely on:

• Contract – to deliver our distance-learning services to students or to meet obligations to their school (for example, providing access to our online learning platform and support services).
• Legal obligation – to meet duties placed on us by law (e.g safeguarding requirements, employment law, tax and financial reporting).
• Vital interests – to protect someone’s life in an emergency.
• Legitimate interests – to run and improve our services, keep our systems secure, and communicate effectively, where these interests are not overridden by individual rights.
• Public task – in limited circumstances where we are required to carry out activities in the public interest (for example, certain safeguarding or statutory reporting duties).
• Consent – only where none of the other bases apply and we need clear permission to use the data (eg optional marketing or specific learning support apps). If the data subject is a child, consent may be sought from their parent/carer where appropriate.

Whenever we first collect personal data directly, we provide individuals with the information required by data protection law (usually in our Privacy Notices).

7.2 Limitation, Minimisation and Accuracy

• We collect personal data only for specified, explicit and legitimate purposes.
• We will not use personal data for new purposes without informing the individual and, where needed, obtaining consent.
• Staff and contractors must only access or process the personal data necessary for their role.
• We take steps to keep data accurate and up to date.
• When personal data is no longer needed, we delete or anonymise it in line with our Data Retention Policy (available on request).

7.3 Special Category and Criminal Offence Data

Some personal data needs extra protection because it is more sensitive. As part of our statutory functions, we process special category data and criminal offence data in accordance with the requirements of Articles 9 and 10 of the UK GDPR and Schedule 1 of the DPA 2018.

Special Category Data
Special category data is defined at Article 9 of the UK GDPR as personal data revealing:

• Racial or ethnic origin;
• Political opinions;
• Religious or philosophical beliefs;
• Trade union membership;
• Genetic data;
• Biometric data for the purpose of uniquely identifying a natural person;
• Data concerning health; or
• Data concerning a natural person’s sexual life or orientation.

Criminal offence data 
This includes details of criminal allegations, proceedings, or convictions. Article 10 of the UK GDPR covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as “criminal offence data”. We only process these data types when one of the legal conditions in the UK GDPR or DPA 2018 applies. Typical reasons we may rely on are:

• Employment, social security or social protection (e.g staff sickness, diversity monitoring).
• Safeguarding children or individuals at risk (e.g investigating a welfare concern).
• Protecting vital interests (e.g medical emergency).
• Legal claims (e.g defending or pursuing litigation).
• Substantial public interest where the law allows this for safeguarding or similar duties.
• Explicit consent where none of the above applies and we ask for clear, recorded permission.

We maintain an Appropriate Policy Document (APD) as required by the DPA 2018 whenever we process special category or criminal offence data. The APD explains the lawful conditions we rely on, how we comply with the UK GDPR principles (lawfulness, fairness, minimisation, accuracy, security and storage limitation), and how long we keep such data (as set out in our Data Retention Policy). The APD is an internal compliance document and is available to the ICO or to partner organisations for review on request. For more detail about the types of special category and criminal offence data we process for staff, Students and others, please see our Privacy Notices.

9. Subject Access Requests and Other Rights of Individuals

9.1 Subject Access Requests (SARs)

Individuals have the right to ask for a copy of the personal data we hold about them (a “subject access request” or “SAR”). This includes confirmation that we process their data, access to a copy, the purposes of processing, categories of data, who we share it with, how long we keep it, the source (if not collected directly) and whether any automated decision-making is involved. Requests should be sent in writing (letter or email) to our DCO, who will liaise with the DPO. Requests should include the requester’s name, contact details and enough information to locate the data. If a member of staff receives a SAR, they must forward it to the DCO immediately.

9.2 Students and Subject Access Requests

Personal data about a student belongs to that student, even if they are under 18. At Pamoja, most students are aged between 16 and18 and are generally considered mature enough to understand their data protection rights and the implications of making a SAR. Parents or carers may only make a SAR on behalf of a student if the student has given clear permission or is unable to understand or exercise their own rights (for example, due to specific capacity or safeguarding concerns). Each case will be assessed individually to ensure the student’s rights and best interests are respected. This approach follows the ICO guidance on children’s personal data, which states that a young person aged 13 or above is normally considered competent to exercise their own data protection rights, and that organisations should assess competence on a case-by-case basis.

9.3 Responding to Subject Access Requests

When responding to requests, we:

• may ask for proof of identity and will confirm requests where needed.
• aim to respond within one month. For complex or numerous requests, we may extend by up to two further months and will tell the requester within the first month.
• will provide the first digital or paper copy free of charge; we may charge a reasonable fee for extra paper copies.
• may refuse or charge a reasonable fee for requests that are manifestly unfounded or excessive. If we refuse, we will explain why and how to complain to the ICO.

We will not release information if doing so would:

• seriously harm the physical or mental health of the requester or another person;
• disclose that a child is at risk of abuse;
• breach adoption/parental order secrecy; or
• breach a court order.

When we refuse a request, we will tell the individual why and tell them they have the right to complain to the ICO. If someone makes a request on behalf of another person, we will require evidence of their authority (such as written permission or a power of attorney). If this cannot be provided, we may contact the individual directly to confirm the request.

9.4 Other Data Protection Rights

In addition to the right to make a SAR, and to receive information when we are collecting their data about how we use and process it (see section 7), individuals also have the right to:

• Withdraw their consent to processing at any time, where consent is the basis for processing.
• Ask us to rectify, erase or restrict processing of their personal data, or object to the processing of it (in certain circumstances).
• Prevent use of their personal data for direct marketing.
• Challenge processing which has been justified based on public interest.
• Request a copy of agreements under which their personal data is transferred outside of the UK or, where applicable, the EEA.
• Object to decisions based solely on automated decision making or profiling (decisions taken with no human involvement, that might negatively affect them).
• Prevent processing that is likely to cause damage or distress.
• Be notified of a data breach where it is likely to result in a high risk to their rights and freedoms.
• Make a complaint to the ICO.
• Ask for their personal data to be transferred to a third party in a structured, commonly-used and machine-readable format (in certain circumstances).

Individuals who wish to exercise any of these rights should contact our DCO or DPO. Pamoja’s team members who receive such a request must forward it promptly to the DCO so it can be handled correctly. We take our data protection obligations seriously and will respond to all rights requests in line with the UK GDPR and guidance from the ICO.

11. Biometric Recognition Systems

Pamoja does not collect or otherwise process biometric data. If we were to introduce systems that use biometric data (e.g for secure access or identity verification), we would conduct a Data Protection Impact Assessment (DPIA), ensure a lawful basis and an applicable special category condition, and update our privacy information before processing.

13. Data Protection by Design and Default

We build data protection into all our activities from the outset and keep it under review. Measures include:

• Appointing a suitably qualified DCO and an external DPO and providing the resources they need to maintain expertise and oversight.
• Only collecting and using the personal data necessary for each purpose, in line with the data protection principles (see section 6).
• Completing DPIAs whenever processing is likely to result in a high risk to individuals’ rights and freedoms, or when introducing new technologies or large-scale processing of special category data.
• Integrating data protection into our policies, procedures and privacy notices.
• Providing regular training to staff and keeping attendance records.
• Reviewing and auditing our privacy measures regularly.
• Maintaining records of our processing activities (ROPA) including contact details, categories of data and subjects, purpose, recipients, retention, security measures and any international transfers.
• Publishing contact details for the organisation, DCO and DPO and making our privacy information easily available to data subjects.

Data Protection Impact Assessments (DPIAs)
A DPIA is a process to help us identify and minimise the data protection risks of a project. We will conduct a DPIA for processing that is likely to result in a high risk to individuals as well as any other major project which requires the processing of personal data. It is vital that the DPIA is completed before processing is commenced to ensure that all risks are identified and mitigated as much as possible.

Our DPIA will:

• describe the nature, scope, context, and purposes of the processing;
• assess necessity, proportionality, and compliance measures;
• identify and assess risks to individuals; and
• identify any additional measures to mitigate those risks.

To assess the level of risk, we will consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. We will consult our DPO and, where appropriate, individuals and relevant experts. We may also need to consult with relevant processors. If we identify a high risk that we cannot mitigate, we will consult the ICO before starting the processing. We will implement the measures we identified from the DPIA, and integrate them into our policies, procedures, and practice.

15. Disposal of Records

Personal data that is no longer needed will be disposed of securely. Personal data that has become inaccurate or out of date will also be disposed of securely, where we cannot or do not need to rectify or update it.

For example, we will shred or incinerate paper-based records and overwrite or delete electronic files. We may also use a third party to safely dispose of records on our behalf. If we do so, we will require the third party to provide sufficient guarantees that it complies with data protection law.

All disposal of records will be carried out in accordance with our Data Retention Policy.

17. Training

All team members receive data protection training as part of their induction. We also provide refresher or update training whenever changes in legislation or our own processes make it necessary. Data protection awareness is included in our continuing professional development programme to ensure staff maintain good understanding and compliance.

18. Monitoring Arrangements

This policy is reviewed at least annually by the DCO in consultation with the DPO and is presented to the Senior Leadership Team for approval. It will also be reviewed sooner if there are significant changes to data protection law, regulatory guidance, or our processing activities.

20. Links with Procedures

If any team member or data processor discovers or suspects a personal data breach, they must immediately notify the DCO. This will trigger our Personal Data Breach Procedure so that the incident can be assessed and managed promptly.