Environmental Policy for Incyte International Ltd and MGA Education Ltd

Last reviewed January 31st 2022

Introductory Statement

 MGA Education Ltd/Incyte International Ltd are committed to seeking excellence in every aspect of our business to minimising the environmental impacts of our business operations. Since the formation of our business in 2005, we have been fully committed to ensuring our adverse impact on the environment is reduced to as close to zero as possible.

1. Our commitment is to:

-      Continuously improve our environmental performance and to integrate recognized environmental management best practice in our business operations.

-      Reduce our consumption of resources and improve the efficient use of these resources through the purchases of resources online or locally.

-      Measure and take action to reduce the carbon footprint of our business activities by conducting as many of our meetings as possible online.

-      Manage waste generated from our business operations incorporating reduction, re-use and recycling in accordance with the principles of effective waste management.

-      Manage energy usage, for example, by purchasing equipment that has lowest consumption and encouraging use of vehicles which are as climate friendly as possible.

-      Manage our business operations to prevent pollution wherever possible.

-      Ensure environmental, including climate change, criteria are taken into account in the procurement of goods and services.

-      To reduce water consumption by re-using water where possible.

-      Comply as a minimum with all relevant environmental legislation as well other environmental requirements we believe are necessary.

2. To meet our commitments we will:

-      Review our policy each year to ensure we take into account all new legislation.

-      Review our performance and agree actions to improve where necessary.

-      Monitor our business on a day-to-day business to ensure our adverse impact on the environment is at zero or minimised as far as we can achieve.

-      Engage with our consultants to ensure they are aware of our drive for improvement in all aspects of our work.

-      Work together with our consultants, service partners, suppliers and clients to promote improved environmental performance where possible.   

Date of Last Review - 31.01.2022

 Person Responsible – Malcolm Greenhalgh, Director

 Signed:

 Malcolm Greenhalgh

Director

MGA Education Ltd and Incyte International Ltd

Our environment action plan for 2021 and 2022

-      To ensure, in discussion with all our consultants, clients and suppliers that all printing of documents is kept to zero or minimized as far as possible.

-      To reduce travel to meetings with consultants and schools by conducting all meetings, where possible, through Zoom, Teams or Skype.

-      To reduce any form of printing by using online technology for all but essential reasons.

-      To encourage working from home as the norm and conducting well-being sessions through Zoom, Teams or Skype where these are possible.

ANNEX 1

Training Content

Data Protection Act

High-profile security breaches have increased public concern about the handling of personal information. As some 80% of security incidents involve staff there is a clear need for all workers to have a basic understanding of the Data Protection Act 1998 (DPA).

1. Keeping personal information secure

 Do staff know:

-      To keep passwords secure – change regularly, no sharing?

-      To lock / log off computers when away from their desks?

-      To dispose of confidential paper waste securely by shredding?

-      To prevent virus attacks by taking care when opening emails and attachments or visiting new websites?

-      About working on a 'clear desk' basis - by securely storing hard copy personal information when it is not being used?

-      That visitors should be signed in and out of the premises, or accompanied in areas normally restricted to staff?

 -      About positioning computer screens away from windows to prevent accidental disclosures of personal information?

-      To encrypt personal information that is being taken out of the office if it would cause damage or distress if lost or stolen?

-      To keep back-ups of information?

2.  Meeting the reasonable expectations of customers and employees

Do staff know:

 -      To collect only the personal information they need for a particular business purpose?

 -      To explain new or changed business purposes to customers and employees, and to obtain consent or provide an opt-out where appropriate?

-      To update records promptly – for example, changes of address, marketing preferences?

-      To delete personal information the business no longer requires?

-      That they commit an offence if they release customer / employee records without your consent?

-      About any workplace monitoring that may be in operation?

3. Disclosing customer personal information over the telephone

Do staff know:

-      To be aware that there are people who will try and trick them to give out personal information?

 -      That to prevent these disclosures they should carry out identity checks before giving out personal information to someone making an incoming call?

-      To perform similar checks when making outgoing calls?

-      About limiting the amount of personal information given out over the telephone and to follow up with written confirmation if necessary?

4. Notifying under the Data Protection Act

 Do staff know:

-      Whether the company has a notification entry with the ICO or is relying on an exemption?

-      That you need to monitor changes in business use of personal information, and notify the ICO if appropriate?

5. Handling requests from individuals for their personal information (subject access requests)

 Do staff know:

 -      That people have a right to have a copy of the personal information you hold?

-      How to recognise a subject access request?

-      Who to pass it to if it is not their responsibility to answer?

-      That the company has a maximum of 40 days to respond?

-      That the maximum fee that can be charged is £10?

-      That they may need to check the identity of the requester?

-      What to do if other people’s information is contained in the proposed response

ANNEX 2

Digital Platform

Data Protection Policy for Users of the Digital Platform

Introduction

MGA Education Ltd and Incyte International Ltd are fully committed to compliance with the requirements of the Data Protection Act 1998 (“the Act”), which came into force on the 1st March 2000.  We therefore follow procedures that aim to ensure that all Digital Platform users and employees that have access to any personal data held by MGA Education Ltd and Incyte International Ltd are fully aware of and abide by their duties and responsibilities under the Act.

Statement of policy

In order to operate efficiently, MGA Education Ltd and Incyte International Ltd have to collect and use information about people whom appear on our Digital Platform system.  These may include senior leaders, teachers, non-teaching staff, pupils and parents.  In addition, we may be required by law to collect and use information in order to comply with the requirements of central government.  This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means, and there are safeguards within the Act to ensure this.

MGA Education Ltd and Incyte International Ltd  regard the lawful and correct treatment of personal information as very important to their successful operation and to maintaining confidence between ourselves and our client schools/academies.  MGA Education Ltd and Incyte International Ltd  will ensure that they treat personal information lawfully and correctly.

To this end we fully endorse and adhere to the Principles of Data Protection as set out in the Data Protection Act 1998.

The principles of data protection

 The Act stipulates that anyone processing personal data must comply with Eight Principles of good practice.  These Principles are legally enforceable.

The Principles require that personal information:

1.        Shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met;

2.        Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;

3.        Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;

4.        Shall be accurate and where necessary, kept up to date;

5.        Shall not be kept for longer than is necessary for that purpose or those purposes;

6.        Shall be processed in accordance with the rights of data subjects under the Act;

7.       Shall be kept secure i.e. protected by an appropriate degree of security;

8.        Shall not be transferred to a country or territory outside the European           

           Economic Area, unless that country or territory ensures an adequate

           level of data protection.

The Act provides conditions for the processing of any personal data.  It also makes a distinction between personal data and ”sensitive” personal data.

Personal data is defined as, data relating to a living individual who can be identified from:

·        That data;

·        That data and other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.

Sensitive personal data is defined as personal data consisting of information as to:

·        Racial or ethnic origin;

·        Political opinion;

·        Religious or other beliefs;

·        Trade union membership;

·        Physical or mental health or condition;

·        Sexual life;

·        Criminal proceedings or convictions.

 Handling of personal/sensitive information

MGA Education Ltd and Incyte International Ltd  will, through appropriate management and the use of strict criteria and controls:-

·        Observe fully conditions regarding the fair collection and use of personal information;

·        Meet its legal obligations to specify the purpose for which information is used;

·        Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;

·        Ensure the quality of information used;

·        Apply strict checks to determine the length of time information is held;

·        Take appropriate technical and organisational security measures to safeguard personal information;

·        Ensure that personal information is not transferred abroad without suitable safeguards;

·        Ensure that the rights of people about whom the information is held can be fully exercised under the Act.

These include:

·        The right to be informed that processing is being undertaken;

·        The right of access to one’s personal information within the statutory 40 days;

·        The right to prevent processing in certain circumstances;

·        The right to correct, rectify, block or erase information regarded as wrong information.

In addition, MGA Education Ltd and Incyte International Ltd will ensure that:

 ·        There is someone with specific responsibility for data protection in the organisation;

·        Everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice;

·        Everyone managing and handling personal information is appropriately trained to do so;

·        Everyone managing and handling personal information is appropriately supervised;

·        Anyone wanting to make enquiries about handling personal information, whether a member of staff or a member of the public, knows what to do;

·        Queries about handling personal information are promptly and courteously dealt with;

·        Methods of handling personal information are regularly assessed and evaluated;

·        Performance with handling personal information is regularly assessed and evaluated; 

All elected members are to be made fully aware of this policy and of their duties and responsibilities under the Act.

All managers and staff within MGA Education Ltd and Incyte International Ltd will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:

 ·        Paper files and other records or documents containing personal/sensitive data are kept in a secure environment;

·        Personal data held on computers and computer systems is protected by the use of secure passwords, which where possible have forced changes periodically;

·        Individual passwords should be such that they are not easily compromised.

All contractors, consultants, partners or other servants or agents of the MGA Education Ltd and Incyte International Ltd must:

 ·        Ensure that they and all of their staff who have access to personal data held or processed for or on behalf of MGA Education Ltd and Incyte International Ltd, are aware of this policy and are fully trained in and are aware of their duties and responsibilities under the Act.  Any breach of any provision of the Act will be deemed as being a breach of any contract between MGA Education Ltd and Incyte International Ltd and that individual, company, partner or firm;

·        Allow data protection audits by MGA Education Ltd and Incyte International Ltd of data held on its behalf (if requested);

·        Indemnify MGA Education Ltd and Incyte International Ltd against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.

 All contractors who are users of personal information supplied by MGA Education Ltd and Incyte International Ltd will be required to confirm that they will abide by the requirements of the Act with regard to information supplied by the council. 

Implementation

 MGA Education Ltd and Incyte International Ltd have appointed a Corporate Information Officer.  This officer will be responsible for ensuring that the Policy is implemented.  The Corporate Information Officer will also have overall responsibility for:

·        The provision of cascade data protection training, for staff within the MGA Education Ltd and Incyte International Ltd.

·        For the development of best practice guidelines.

·        For carrying out compliance checks to ensure adherence, throughout the authority, with the Data Protection Act.

Notification to the Information Commissioner

 The Information Commissioner maintains a public register of data controllers.   MGA Education Ltd is registered as such.

 The Data Protection Act 1998 requires every data controller who is processing personal data, to notify and renew their notification, on an annual basis.  Failure to do so is a criminal offence.

 To this end the designated officer will be responsible for notifying and updating the Information Officer of the processing of personal data, within their directorate.

 The Information Officer will review the Data Protection Register with designated officers annually, prior to notification to the Information Commissioner.

 Any changes to the register must be notified to the Information Commissioner, within 28 days.