The following document outlines the Data Protection Policy of Home from Home Student Services Ltd (HFH Company number 07332845) trading as London Homestays, UK Student Residences and London Study English.
As of May 25th 2018, GDPR will be enforced by data protection regulators across Europe. This will see the largest change in data processing and storage regulations on over two decades. The new regulations are designed to ensure organisations provide greater transparency and accountability in how we manage and use personal data. It also provides individuals with new and stronger rights to understand and control how that data is used and (if applicable) shared.
Home from Home Student Services is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.
Glossary of Terms
Home from Home Student Services Ltd (HFH) – This refers to UK registered company 07332845 which trades as London Homestays, UK Student Residences and London Study English. Any references to ‘HFH’, ‘We’, ‘Us’ or ‘the agency’ refer to this company.
Data Protection Act 1998 – The UK legislation that provides the framework for organisations to abide to when processing and storing personal information.
Data Controller – This a nominated person within HFH who decides which personal information we hold, how it is used, who it is shared with and for how long it is held on record.
Data Protection Officer – This a nominated person within HFH who is responsible for ensuring we follow this data protection policy and comply with the Data Protection Act 1998 including the GDPR amendments.
Individual User – This refers to the person or people whose information is being processed, stored or shared. HFH may process and store data on (but not limited to) active, inactive and prospective accommodation providers/suppliers, students, interns, guests or customers of any kind who apply to use our agency/services, employees, prospective employees, contractors, sub-contractors and partners.
Privacy notice – This is a notice presented to individual users explaining how their data will be processed and who it might be shared with. The individual users will be given the option to agree to this by ‘opting in’ and giving their express consent (see below).
Explicit consent – This is the freely given consent of the individual user for HFH to process, store and (where applicable) share their personal information/data. Explicit consent is required for processing all data including but not limited to sensitive data (see below).
Sensitive data – refers to a specific type of data considered more sensitive than other ‘general data’ such as personal information. This includes the following:
• Racial or ethnic origin
• Political affiliations
• Religion or similar beliefs
• Trade union membership
• Physical or mental health
• Criminal record or proceedings
Personal Information – This is information concerning individuals that enables our agency to identify them e.g. Their name and address. This does not apply to companies or organisations but does apply to individuals within those organisations such as employees.
Processing – This refers to the collecting, amending, handling, storing or disclosing of personal information/data.
Information Commissioner – This is the UK Information Commissioner responsible for implementing and overseeing the Data Protection Act 1998.
HFH will appoint a data controller and a data protection officer. The data controller will be ultimately responsible for controlling the use and processing of the personal and sensitive data of all individual users. The data protection officer is responsible for setting our data protection policies and will endeavour to assist the data controller in meeting the terms of the Act.
HFH needs to process certain information about individual users such as (but not limited to) staff, customers, accommodation providers such as hosts and prospective accommodation providers. The data is processed for various purposes such as, but not limited to:
1. The recruitment and payment of staff.
2. The recruitment, administration and payment of accommodation providers such as hosts.
3. Taking and processing applications from customers and potential customers.
4. Matching customers/potential customers with accommodation providers, sharing information of individual users such as customers/potential customers/agents/schools with other individual users such as accommodation providers and vice versa endeavouring to achieve a confirmed ‘booking’.
5. Taking payments.
6. Receiving, processing and storing of communications such as emails, telephone calls, SMS messages from individual users.
7. Complying with legal and/or accreditation bodies such as but not limited to The British Council and sharing individual user’s data with that accreditation body.
We will ensure that information about individual users is collected and used fairly, stored safely and securely, and not disclosed to any third party unless consent is received through a privacy notice. We will ensure that our agencies privacy notices are written in a clear, plain way that individual users can easily understand.
Our Data Protection and Control Principles
We will abide by the principles stated below:
a) Data will be processed lawfully, fairly and in a transparent manner in relation to individual users;
b) Data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) Data will be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate (having regard to the purposes for which they are processed), are erased or rectified without delay;
e) Data will be kept in a form which permits identification of data subjects/individual users for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
f) Data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The data controller will be responsible for and be able to demonstrate, compliance with the above principles.
The rights of Individual Users
The GDPR provides the following rights for individuals:
1. The right to be informed
Individual users have the right to be informed about the collection and use of their personal data. This will be clearly stated in our Privacy notices.
2. The right of access
Individuals have a right to access any personal data relating to them which are held by us. Any individual wishing to exercise this right should apply in writing to our agency or directly to the data controller.
Individuals have the right to obtain the following:
• confirmation that we are processing their personal data;
• a copy of their personal data; and
• other supplementary information – this largely corresponds to the information that is provided in our privacy notice.
3. The right to rectification
Under Article 16 of the GDPR, individual users have the right to have inaccurate personal data rectified.
If an individual user feels their data is inaccurate they should submit a ‘request for rectification’ to our agency or directly to the data controller.
4. The right to erasure
Under Article 17 of the GDPR, individual users have the right to have their personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
Individual users have the right to have their personal data erased if:
• the personal data is no longer necessary for the purpose in which our agency originally collected or processed it for;
• The data was collected relying on the consent of the individual users and the individual user withdraws that consent.
• The data was collected or is being processed based on there being a ‘legitimate interest’, and the individual user objects to their data being processed and there is no overriding legitimate interest to continue this processing;
• The data is being processed for direct marketing purposes and the individual user objects to that processing;
In such cases, we agree to erase the data allowing the individual user the ‘right to be forgotten’. If an individual user wishes to have their data erased they should submit a ‘request to be forgotten’ to our agency or directly to the data controller.
5. The right to restrict processing
Under GDPR, individual users have the right to restrict the processing of their personal data in certain circumstances. The data will still be stored, but the way we process and/or share the data will be restricted. This might happen for example if a host wishes to take a break from accommodating students. They may wish for their data to be kept on our system but request we no longer offer their profile to students in accommodation offers.
In such cases, we agree to restrict the use/processing of the data. If an individual user wishes to restrict their data being processed they should submit a ‘data processing restriction request’ to our agency or directly to the data controller. They should make it clear the restrictions they wish to set, the data this corresponds to and the period of time they wish the restriction to be in place for.
6. The right to data portability
Individual users have the right to receive personal data they have provided to our agency/data controller in a structured, commonly used and machine-readable format. This data can be issued to the individual user and/or (if requested by the induvial user) transferred to another controller.
7. The right to object
Article 21 of the GDPR gives individual users the right to object to the processing of their personal data. This effectively allows individual users to ask us to stop processing their personal data.
In such cases, we agree to stop using/processing their data. If an individual user wishes for us to stop processing their data they should make this clear to our agency or directly to the data controller.
8. Rights in relation to automated decision making and profiling.
This gives individual users protection against decisions being made based on automated profiling i.e. without human involvement. Although our agency users information technology to match accommodation requests with accommodation providers, the final decision is always made by a human.