ASP Data Protection Policy
The American School of Paris (ASP) requires certain personal data – including some that is sensitive – about its past and present employees, students, parents, legal guardians, alumni, and other community members, in order to function well as an international school, and as an employer in France.
This policy is intended to ensure that ASP protects all personal data in accordance with the EU General Data Protection Regulation (EU–GDPR), and other related legislation. It applies to data regardless of the way it is collected, used, recorded and shared, and irrespective of whether it is held in paper files or electronically.
This policy applies to all employees, trustees, volunteers, and others working on behalf of ASP (‘members of ASP’s working community’). All members of ASP’s working community involved with the collection, processing and disclosure of personal data should be aware of their duties and responsibilities and adhere to these guidelines.
Individuals at the American School of Paris may have access to a wide range of personal and sensitive data regarding other individuals, depending on their role in the School.
Personal data means any information about, or that may be used to identify, a living person. ASP recognizes that any such data belongs to that individual (‘data subject’), and NOT to ASP or any other person or organization with whom we may share it. The data subject must be provided with complete information concerning the use of their data, and have ultimate control over its use.
Personal data includes, but is not limited to:
- information about members of the school community, such as their name, address, email address, phone numbers, health records and disciplinary records;
- curricular or academic data such as attendance records, grades, comments on progress and achievement, reports and recommendations;
- professional records such as employment history, taxation and social insurance records, confidential employee files and references;
- data held as photographs, video clips (including CCTV footage) or as sound recordings;
- any expression of opinion about an individual kept in a school file or system, or any indication of the school’s or someone else’s intentions towards an individual;
- any other information that might be disclosed by parents, or by other individuals or agencies working with families or employees.
Under the EU-GDPR, special categories of personal data (‘sensitive data’) require additional protection: information that concerns or reveals a person’s political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, state of health, and sex life or sexual orientation. Data concerning children under the age of 15 is also subject to special protections.
Data Protection Principles
The EU–GDPR establishes six principles to which ASP is held accountable whenever it handles personal data. Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The ASP Board of Trustees is ultimately responsible for ensuring that the necessary systems, policies and procedures are in place to ensure that all personal data is appropriately protected, and that all employee, trustees, volunteers, and others working on behalf of the American School of Paris who process or use personal data follow these principles at all times. To that end, ASP has developed this Data Protection Policy.
This policy does not form part of any employee’s contract, although it forms part of the policies accepted as a condition of employment and may be amended at any time. Any breach of this policy by employees may result in disciplinary action.
In order to protect personal data from loss, theft and unauthorized access or disclosure, ASP will deploy necessary physical and technological security systems.
These systems and backup systems will be fully documented, regularly tested, and periodically audited.
All individuals who use technology provided by ASP will be required to comply fully with the respective protocols and procedures.
This policy will be reviewed as it is deemed appropriate, but no less frequently than annually by the Board of Trustees or a nominated representative.