ISH Privacy Notice
International School of Helsinki (“ISH”) processes personal data on its prospective, current and former students and their parents or legal representatives, as part of its everyday operations of providing educational services.
ISH handles your personal data according to the General Data Protection Regulation no. 679 / 2016 applicable in the European Union (“GDPR”). For these purposes, ISH acts as controller with regard to your personal data and the personal data of students (“Personal Data”), meaning ISH establishes the purposes and means of processing the Personal Data.
For the purposes of this Privacy Notice, please note that the term “processing” shall represent any operation performed on Personal Data, whether or not by automated means such as collection, recording, storage, adaptation, alteration, consultation, use, disclosure by any means, erasure or destruction.
ISH wishes to be completely transparent with regard to the processing of Personal Data and therefore, we have presented below all the information you may need on this subject matter.
Please take a little of your time to read this privacy notice to understand the data processing operations carried out by ISH.
1.
The purposes for which ISH processes your Personal Data:
ISH processes Personal Data that pertain to you or to the students for the following purposes:
- Provision of educational services, starting with the admissions process, enrolling students, administration of classes and timetable, teaching activities, administration of internal and public examinations, assistance regarding the application process to various universities, issuance of academic records.
- Provision of educational ancillary services: pastoral care, career and personal counselling, library services, extracurricular activities, school trips, managing school’s publications, setting up the virtual learning environment and granting access to ISH’s Intranet and Internet network as well as monitoring the use of ISH’s network.
- Ensuring campus security: monitoring access on campus, performance of video surveillance.
- Provision of the medical care and counselling that students may need.
- School administration: handling student records and other academic documentation, administration of fees and accounts, internal audits and controls, reporting and statistics creation, implementing school policies, ensuring collaboration with other schools, archiving, assessing the quality of our services, facilitating research activities.
- School related communications: conveying various messages related to the students and ISH’s activities by any communication means.
- Organizing fundraising activities and other school events (e.g., concerts, theatre productions, talent shows), including marketing communications related to the fundraising activities organized by ISH.
- Dispute resolution and litigations.
2.
The categories of Personal Data that ISH processes, include, but are not limited to the following:
- Identification and contact information (first and last name, citizenship, country of birth, address, information included in ID’s / passports, phone number, e-mail etc.);
- Bank details are retained by the Business Office only for school payments;
- Health data: medical history, allergies, immunization records, disorders, medical examination results and other medical data of the students;
- Data related to the educational background and regarding school performance of the students: academic, disciplinary or other educational related records, academic references, special needs, hobbies, results of educational diagnosis testing, test results, feedbacks, evaluations etc.;
- Behavioral data as well as data on preferences / interests of students;
- Family information: household information, language background, profession and workplace of parents etc.;
- Authentication and physical access data: e-mail, passwords, badge number, location data, other online identifiers, car details etc.;
- Photos and videos.
Generally, the Personal Data held by ISH were provided directly by the parents or resulted from the interaction the parents and the students have with the school. In some cases, third parties (e.g., representatives of former schools attended by students) supply data.
3.
The lawful basis for the processing operations we conduct with regard to the Personal Data
ISH collects and further processes Personal Data, based on one of the following legal grounds, expressly laid down by the GDPR:
- The consent you have granted us, prior to any processing of the personal data, for
- the use of students’ photographs and videos in various school publications (including Yearbook) on ISH’s website and social media pages;
- the use of your contact details for communication between school and family/student, and the PTO
- other consents that may be granted from time to time for various processing activities.
- For the completion of our admissions process.
Please note that there are some mandatory categories of personal data necessary to ISH in order to process enrolment applications and provide the educational services to students at a high standard and in the best interest of the students.
The mandatory categories of personal data are included in the application form, which you have filled in on-line. All the categories of data that are compulsory are marked accordingly in the application form.
Please take into consideration, that all the mandatory categories of data are necessary for ISH to be able to evaluate your application and finally to enroll your child. Failure to provide all the information marked as mandatory will lead to the impossibility of ISH to process your application.
- A legal obligation that requires ISH to process your Personal Data (e.g. performance of video surveillance).
- For the performance of a task carried out in the public interest, considering that ISH provides educational services, regarded as a service of public interest, according to the local applicable provisions on education, many processing operations conducted by ISH that are strictly related to educational purposes will be founded on this lawful basis for processing. We refer here mainly to issuing and storing academic records, evaluating students’ performance etc.
- The legitimate interest pursued by ISH.
ISH relies on this legal ground in order to provide the educational services it has committed to deliver and additional services related to this scope at the highest standards, always for the benefit of the students and without outweighing the parents or the students’ rights and liberties.
ISH may invoke the legitimate interest legal ground in the following cases:
- monitoring use of the ISH’s virtual learning environment and network, including monitoring the use of e-mails account provided by ISH;
- conducting fundraising activities, including marketing of such activities;
- enforcement of legal claims, addressing complaints and third party controls;
- management, control, reporting and performing statistics on schools activity;
- ensuring security;
- maintaining close relationships with alumni and ISH’s community;
- collaboration with other schools and educational institutions;
- performance of agreements with suppliers, including insurance suppliers;
- access to grants and other funding sources.
With respect to the processing of the special categories of personal data under the GDPR, respectively health data, please take into consideration that ISH processes health data based on the following legal grounds:
- The necessity of the school nurse to process such data for the purpose of preventive and occupational medicine, medical diagnosis and the provision of health or social care or treatment on the basis of European Union or national law;
- Processing is necessary for reasons of substantial public interest, on the basis of European Union or national law. Such a legal ground is used especially in those situations where the school has to assess the learning capacity of a student and adapt the teaching activities to the special needs of a student.
- The explicit consent granted by you for the disclosure of the personal data of students related to the allergies they suffer from.
4.
Disclosure of Personal Data
ISH discloses your Personal Data only to those members of ISH, staff and collaborators, who need access to the personal data mainly for ensuring the provision of the educational and ancillary services. In this respect, please take into account that only the nurse has access to the students’ medical records. Other departments of the school have access to specific health data based on the consent you have expressed (i.e. for allergies) or in order to protect a substantial public interest based on EU or national law (e.g., various medical conditions triggering special learning needs).
With respect to the disclosure of your Personal Data to third parties, outside ISH, please note that such disclosure is performed solely in the regular activity of the school. The categories of recipients include the following:
- IT providers, including educational applications, on-line tools, server hosting suppliers such as ManageBac and NWEA etc.
- Cafeteria Owner in its capacity of independent provider of meal services on campus;
- Other educational institutions or organizations, not limited to other schools;
- Travel agencies, catering and transportation providers;
- ISH’s photographer and video crew (web team and media club) Courier services providers;
- Utilities services providers;
- Public authorities and institutions, national or foreign, judicial courts and foreign embassies or other forms of diplomatic missions;
- Tax, legal and accounting consultants.
5.
Retention and Disposal of Personal Data
ISH holds all your Personal Data for as long as you are enrolled, and afterwards for a standard period as specified in our ISH record management plan for which ISH can justify a need in storing such personal data.
ISH keeps the student file and all the data related to the student interaction with ISH mainly for the scope of assessing the school’s activity and the quality of services provided but also for addressing potential request of students with regard to their school career within ISH, which usually appear after the students have graduated. The school will follow all local legal requirements for the retention and disposal of student data.
6.
Your rights related to the processing of Personal Data by ISH
The GDPR provides certain rights related to the processing of personal data, that both you and the students have. In this respect, please be informed that students may be able to use the rights listed in this section as specified by Finnish law.
ISH respects all the rights mentioned under the GDPR and is committed to furnishing the appropriate means by which you can exercise these rights, according to the details mentioned below:
The right of access, which entails your possibility to obtain the confirmation from ISH whether your Personal Data is being processed by ISH or not, and if the case may be you are entitled to solicit access to this data, as well as additional information regarding the Personal Data, such as: the purposes of processing, the categories of recipients the Personal Data are being disclosed to and the envisaged retention period.
In the situations where you may need to exercise the right of access, please consider contacting ISH and requesting confirmation by e-mail at dpo@ishelsinki.fi Please consider that there might be specific situations that are exempted from the right of access, such as information that identifies other individuals or which is subject to confidentiality obligations.
- The right to rectification, that allows you to request ISH rectification of any inaccurate Personal Data that ISH may hold, as well as to have your incomplete Personal Data to be completed.
- The right to erasure meaning that in the situations expressly regulated by law, you may request erasure of your personal data. Please take into account, that the cases where the law provides for the possibility of erasure of personal data amount to the situations where the processing is unlawful or where the processing is based on your consent, and you have withdrawn such consent.
- The right to restriction of processing, signifying your right to obtain restriction of processing your Personal Data from ISH’s part. Please bear in mind that this right can be exercised only in specific situations laid down by the GDPR such as when you challenge the accuracy of your Personal Data. During the period necessary for us to rectify your data, you may ask us to restrict the processing of your Personal Data.
- The right to data portability implying your right to receive the personal data in a structured, commonly used and machine-readable format and further to transmit such data to another controller. This right to data portability shall be applicable only to the personal data you have provided to us and where the processing is carried out by automated means based on your consent or for the performance of the contract you have concluded with ISH.
- The right to object to the processing of your Personal Data by ISH, on grounds relating to your particular situation. The right to object applies to the situations where ISH relies on consent as legal basis for processing (e.g. using your e-mail address for conveying fundraising related messages).
- The right to lodge a complaint designates your right to challenge the manner in which ISH performs processing of your Personal Data with the competent data protection authority.
- The right to withdraw your consent given for various processing operations, in cases where the consent represents the lawful basis for processing. In cases where you withdraw your consent to processing your Personal Data, please note that the processing will end from the moment the withdrawal takes place without any effect on the processing that took place prior such withdrawal.
7.
Profiling
ISH creates various profiles through automated means based on the Personal Data that pertain to students. Generally, such profiles are created via various applications used in the on-line education environment such as the MAP Testing Tool
ISH creates and uses such profiles to evaluate the performance of its students, to identify gaps in their development or to assess specific traits that characterize students’ personality, preferences, and behavior or professional inclinations.
8.
Video Surveillance
ISH has implemented a video surveillance system on the campus, in order to ensure security of its students, staff and all the other persons that enter our premises. The security and wellbeing of our students is our primary concern and these video cameras allow us to offer real time protection.
All the areas covered by a video camera are signalized on campus through specific banners, informing you with regard to the video surveillance conducted by the ISH.
9.
Contact Point
In the situation where you may wish to exercise any of the rights listed under point 7 of this Privacy. Notice or to obtain additional information or clarifications on the subject of processing your Personal Data please contact ISH, via its appointed Contact person of the ISH Data Protection Team–responsible for ensuring that ISH complies with all the requirements of the GDPR.
Contact Details of ISH’s Data Protection Team:
E-mail address: dpo@ishelsinki.fi
10.
Whistleblowing at ISH
ISH offers a whistleblowing channel for anyone to anonymously report malpractice, unlawful, unethical behaviour within the workplace or any other abuse witnessed.
You can read the full PROCESS OF WHISTLEBLOWING HERE.
The present Privacy Notice shall apply along with other policies / procedures adopted at the level of ISH. For more information please contact our Data Protection Officer dpo@ishelsinki.fi