Data Protection Policy

 

1. Introduction

Crossroads Educational Consultants (“Crossroads”) is committed to protecting the privacy and security of personal information. This policy outlines how we collect, use, store, and protect data in compliance with the Data Protection Act 2018 (DPA 2018), the General Data Protection Regulation (GDPR), and the Joint Council for Qualifications (JCQ) requirements. It applies to all personal data collected, processed, and stored by Crossroads, including that of students, parents, staff, and external partners.

2. Purpose

The purpose of this Data Protection Policy is to ensure that Crossroads:

  • Complies with data protection laws and follows good practices.
  • Protects the rights of students, parents, staff, and other individuals.
  • Is transparent about how it stores and processes individuals’ data.
  • Protects itself from the risks of data breaches.

3. Scope

This policy applies to:

  • All employees, contractors, consultants, and volunteers at Crossroads.
  • All personal data processed by Crossroads, whether in electronic or paper format.

4. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual.
  • Processing: Any operation performed on personal data, such as collection, storage, use, and destruction.
  • Data Subject: An individual whose personal data is processed.
  • Data Controller: Crossroads, as the organisation determining the purposes and means of processing personal data.
  • Data Processor: A third party that processes personal data on behalf of Crossroads.

5. Data Collection

Crossroads collects and processes personal data for the following purposes:

  • To provide educational services to students.
  • To comply with legal obligations.
  • To communicate with students, parents, staff, and partners.
  • To monitor and report on student progress.
  • For safeguarding purposes.
  • To manage exams and access arrangements.

Personal data collected may include (but is not limited to):

  • Contact details (names, addresses, email addresses, phone numbers).
  • Student records (academic progress, attendance, behavioral data).
  • Medical information relevant to educational support (if applicable).
  • Additional Learning Needs (ALN) information.
  • Exam details and results.
  • Financial information (if applicable).

6. Lawful Basis for Processing

Crossroads processes personal data on the following legal bases:

Consent: Where explicit permission is required (e.g., for sharing data with external services).

Contractual Obligation: To fulfill contractual agreements with staff and service users.

Legal Obligation: To comply with legal requirements, including safeguarding.

Legitimate Interests: Where processing is necessary for the legitimate interests of Crossroads, provided these do not override the rights of individuals.

7. Data Storage and Security

Crossroads ensures that personal data is stored securely and in compliance with JCQ requirements by:

  • Storing digital data in secure, password-protected systems that meet JCQ’s standards for secure information storage.
  • Restricting access to personal data to authorised personnel only, in line with JCQ’s guidelines for exam-related information and student records.
  • Using encryption and secure servers for data storage, particularly for sensitive information related to exam arrangements.
  • Storing paper-based data in locked filing cabinets with controlled access, ensuring that JCQ guidelines for the storage of exam-related material are strictly adhered to.
  • Regular audits of our data storage systems are conducted to ensure compliance with GDPR and JCQ standards.

8. Data Retention

Crossroads will retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Personal data will be securely destroyed once it is no longer needed, in compliance with JCQ’s retention policies for exam records and results.

9. Data Sharing

Crossroads may share personal data with third parties only where it is necessary and appropriate, and in accordance with the Data Protection Act 2018 and UK GDPR.

Personal data may be shared in the following circumstances:

  • With consent from the data subject or their legal guardian, where explicit permission has been provided.
  • When required by law, such as safeguarding obligations or other statutory requirements.
  • With examination boards for the purposes of registering students for examinations, submitting access arrangements, and reporting examination results, in accordance with Joint Council for Qualifications (JCQ) regulations.
  • With professionals providing additional support to students, such as Additional Learning Needs (ALN) specialists, healthcare providers, or other relevant educational professionals, where this support has been requested or agreed.

All third parties receiving personal data are required to comply with Crossroads’ data protection standards and with the requirements of UK GDPR, the Data Protection Act 2018, and relevant JCQ regulations.

Clarification Regarding Local Authority Data Sharing

For families engaging with Crossroads through elective home education or private educational services, Crossroads recognises that parents retain primary responsibility for their child’s education.

Crossroads will not routinely share personal data with Local Authorities (LEAs) or other external authorities regarding a student’s educational provision without the explicit consent of the parent or legal guardian.

Personal data will only be shared with a Local Authority or other regulatory body where:

  • the parent or legal guardian has provided explicit consent, or
  • Crossroads is legally required to do so, for example in cases involving safeguarding concerns or other statutory obligations.

Crossroads does not conduct routine reporting to Local Authorities regarding elective home educated students and respects the rights of families to manage their educational arrangements privately.

10. Data Subject Rights

Individuals have the following rights concerning their personal data:

  • The Right to be Informed: Individuals have the right to know how their data is being processed.
  • The Right of Access: Individuals can request a copy of the personal data held by Crossroads.
  • The Right to Rectification: Individuals can request corrections to inaccurate or incomplete data.
  • The Right to Erasure: Individuals can request the deletion of their personal data, subject to legal constraints.
  • The Right to Restrict Processing: Individuals can request the restriction of data processing in certain circumstances.
  • The Right to Data Portability: Individuals can request the transfer of their data to another organisation in a machine-readable format.
  • The Right to Object: Individuals can object to data processing based on legitimate interests or direct marketing.

To exercise any of these rights, individuals should contact Crossroads at info@crossroads.wales

11. Data Breach Procedures

In the event of a data breach, Crossroads will:

  1. Take immediate steps to contain the breach and minimise potential damage.
  2. Notify affected individuals if their personal data has been compromised.
  3. Report the breach to the Information Commissioner’s Office (ICO) within 72 hours if it poses a risk to individuals’ rights and freedoms.
  4. Conduct a thorough investigation and implement corrective measures to prevent future breaches.

12. Roles and Responsibilities

  • Data Protection Officer (DPO): The current Data Protection Officer at Crossroads is Katherine Gibson, responsible for overseeing data protection compliance. The DPO will handle data subject requests and liaise with the ICO if needed.
  • All Staff: Employees and contractors must ensure that they process personal data in line with this policy, GDPR requirements, and JCQ standards, especially in relation to exam-related information.

13. Training and Awareness

Crossroads provides regular training to all staff on data protection responsibilities, security measures, and best practices. Training is also part of the onboarding process for new employees and includes specific guidance on JCQ requirements for exam-related data handling.

14. Review of the Policy

This Data Protection Policy will be reviewed annually or when necessary to comply with new legislation, guidance, or JCQ updates.

15. Contact Information

For any questions or concerns regarding this policy or data protection practices, please contact Crossroads at:

Email: info@crossroads.wales Phone: 0722042940

ICO Reference Number: ZB881879

Date of Last Revision: 28/3/2026

Approved by: K.S. Gibson

K.S. Gibson

Katherine Gibson, Director

Shopping Basket