CONFIDENTIALITY, PRIVACY AND DATA PROTECTION
The Anglo-American School of Moscow
Version effective as of November 29, 2021. The following information is based on AAS Moscow's Board Policy 6.80.
1. General provisions
The following procedures (the “procedures”) have been adopted and effective in The Anglo-American School of Moscow (the “School” or “we”).
1.1. Procedures objective
These procedures establish how we process and protect the personal data of our students, staff, guests and other individuals.
1.2. Key terms used in the Procedures
“Personal data” means any information related directly or indirectly to a specific or identifiable individual.
Personal data may include, specifically, information that allows identifying an individual (e.g., first name, last name, passport data, and photographs) and additional information (e.g., postal address, email address, phone number, place of employment, job title, and marital status).
“Personal data processing” means any automated or manual operation performed on personal data, including collecting, recording, systematising, gathering, storing, verifying the accuracy of (updating, altering), extracting, using, transferring (distributing, providing access to), depersonalising, blocking, deleting or destroying personal data.
“Controller” means a government body, a municipal body, a legal entity or an individual that, independently or in cooperation with other entities, organises or conducts the processing of personal data. The Operator also determines the purpose for processing personal data, the content of personal data to be processed and the operations to be performed on personal data.
“Automated personal data processing” means processing personal data with computing facilities.
“Cross-border transfer of personal data” means transfer of personal data to the territory of a foreign country, to a foreign authority, a foreign individual or a foreign legal entity.
1.3. Processing principles
- When processing your personal data, we will adhere to the following principles:
- Personal data must be processed in a lawful and fair manner.
- The processing of personal data is to be limited to certain predefined and lawful purposes.
- The personal data contents and degree of processing corresponds to the stated purposes of personal data processing.
- We will make all reasonable effort to ensure the personal data we process are accurate, sufficient and, where necessary, up to date.
- We will take all necessary action to ensure personal data security during processing.
- We will respect the rights and lawful interests of the personal data subjects and ensure protection of such personal data during processing.
1.4. Personal data subjects’ rights and Controller’s obligations
Protecting your personal data rights and freedoms is pivotal to the way we operate. To ensure your rights and freedoms are protected, upon your request, we, as your personal data Controller, may:
- confirm whether we process your personal data and will allow you to look through it within 30 days from the receipt of your request;
- inform you on the source and contents of your personal data that we process;
- inform you on the legal basis, purposes, terms and means of processing your personal data;
- notify you on the cross-border transfer of your personal data made or planned;
- notify you on the name and location of the organisations, which have access to your personal data and to which your personal data may be disclosed upon your consent;
- notify you of your rights during our processing of your personal data;
- introduce the necessary changes to your personal data if you confirm it is incomplete, inaccurate or outdated within 7 business days from the date of the receipt of such confirmation and notify you on the changes made;
- stop processing your personal data within 30 days from the date of the receipt of withdrawal of your consent provided if there are no other legal grounds;
- stop processing your personal data if unlawful processing on our side is confirmed and notify you on remedial action taken;
- destroy your personal data if unlawful receipt or unintended use thereof is confirmed within 7 business days from the date of the receipt of such confirmation and notify you on remedial action taken;
- answer any questions related to your personal data we process.
For more information on how to contact the School and discuss these and other issues, please see section “How to contact the School”.
2. Purpose for collecting your personal data
When we collect your data, we will notify you on the purpose and conditions of your personal data processing and we will make sure that you, as a personal data subject, will be free to exercise your lawful rights. For example, we may process your personal data for purposes including but not limited to the following main objectives:
- Safeguarding public health
- Providing safe and secure learning environments for the community
- Application review and AAS admission decision;
- Records of students’ academic performance and achievements;
- Record of AAS Students attendance;
- Education and SEN support;
- Organization of groups, athletics and summer camp visit;
- Organization of school trips (inside and outside of Russia);
- Provision of primary health care;
- Medical screening of students;
- Preparation of graduation documents;
- Providing information about AAS former students educational performance
- Review of resumes and candidates selection for the vacant position for further employment;
- Staff records management, maintaining accounting and tax accounting records;
- Execution of employment contracts.
For legal representatives of students and other individuals
- Organisation of access control to the area and premises of AAS;
- Assistance in organising and holding AAS activities;
- Informing the authorized representative about the educational process, academic performance, organization of events and attendance;
- Publication of information about the AAS activities and communication.
2.1 Camera surveillance
We collect information in the form of camera footage via our CCTV-systems to ensure the safety and security of students and staff. We retain these CCTV images for up to 29 days, unless we need to retain the images for further investigation or law enforcement purposes. Access to these images can be requested through the AAS Moscow Privacy Officer at email@example.com.
2.2 Photographs and videos
Non-targeted photographs and videos of you/your child may be used for educational (for example for Distance or Hybrid learning) or other purposes where we have a legitimate interest to do so, for example, to document the broader learning environment at AAS Moscow, within marketing and promotional activities, including alumni, AAS Summer and Sports Camps, or for the identification of you for security or health-related purposes such as allergies and/or life-threatening medical conditions.
There are other occasions, however, where AAS Moscow may wish to publish your image or video for example, as a way of documenting and sharing learning at AAS Moscow. In such instances, AAS Moscow Staff and students may, where applicable with permission, take photographs and videos throughout the school year to record and share everyday life at AAS Moscow.
The making and usage of non-targeted images (i.e. images that reproduce a more general and rather spontaneous, non-posed image, without focusing on one or more persons, such as general atmospheric pictures or group pictures) is based on AAS Moscow’s legitimate interests. Individuals have the right to opt-out from such images at any time.
For the making and using of individual or targeted images the consent of the data subject is required and collected via the relevant Consent Form. Targeted images refers to individual photographs or videos whereby specific persons constitute the main subject or when one or a few people are highlighted during a group activity or when posing for an image.
2.2.1 Use of personal devices or personal accounts
Where personal devices are used to take photographs and/or videos, the holder of the device becomes the ‘data controller’ for them and accepts liability including in the event of a data breach, or any other requests made by the data subjects contained within the images.
Where your own personal device is used to document photographs and/or videos of learning at AAS Moscow, you are to be considered the data controller for such images and as such, are wholly liable for their use and/or distribution. In this capacity as data controller, you are also wholly responsible for amending, removing or deleting any personal data pertaining to any data subject affiliated to AAS Moscow, without undue delay upon their request, including where such data may have been uploaded to your social media accounts.
2.2.2 External digital platforms
AAS Moscow also utilizes the services of external platforms including, but not limited to Facebook, Twitter, Flickr, Vimeo, Flipgrid, Google Classroom, Google Drive, Padlet, Outlook, Finalsite, Toddle, PowerSchoo, Mailchimp, HubSpot and the ToucanTech Alumni Portal. These accounts are created in the absence of a formal data processing agreement with the service provider, and as such, a high level of data privacy cannot be guaranteed.
Faculty and Staff at AAS Moscow may also have personal social media accounts, created either through their aas.ru email account, or an alternative personal email address, which they use to document day to day learning at AAS Moscow. AAS Moscow does not manage these accounts. For any processing of personal data via these accounts, the person holding the relevant account qualifies as the data controller.
2.2.3 Performing arts, sporting events and live streaming
Significant events within the school calendar such as graduation or sports matches may include live streaming. Where such events are AAS Moscow hosted, live streaming occurs through online resources such as Vimeo, YouTube, or Facebook.
Furthermore, where performing arts or sporting events are held externally, such events may also be live streamed according to conditions agreed upon by the external host, who will then qualify as the data controller.
3. Legal grounds for personal data processing
The School processes personal data on legal grounds only, such as an obligation to process personal data by law, the need to process to execute a contract signed with the data subject or in its interest, personal data subject’s consent or consent of its legal representative, and other grounds stipulated by applicable legislation.
4. The types of data we process
We process the data you provide to us:
- by submitting documents like your passport, visa, driver’s license, social security number;
- by providing a CV, filling out forms and templates, sending us letters and messages;
- through your legal representatives in cases when they represent your interests;
- By providing your contact details to us including for establishing business relations.
Furthermore, the School processes data in cases where the processing is required by applicable law.
Certain services and obligations stipulated by law or contract may be provided to you only if you provide related personal data.
5. Procedure and conditions for personal data processing
5.1. Who will have access to your personal data
We may process your personal data both using automated tools including information and telecommunication networks and manually.
We do not make decisions that may affect your rights and interests based on automated processing of your personal data only.
5.2. Who will have access to your personal data
A limited number of the School’s staff and third parties with whom we have signed appropriate agreements will have access to your personal data. When collecting your personal data, we will inform you on the third parties that will have access to your data and on the purposes we transfer your data to such third parties.
We will ensure our staff comply with these procedures. Delegating your personal data processing to third parties, we oblige them to ensure protection and security of your personal data.
The School may be obliged to disclose your data upon request from law-enforcement agencies and other bodies under applicable law.
We will make all reasonable effort to prevent disclosure of your data to third parties who have no legal grounds to process such data and to ensure protection of your personal data during transfer outside the School including cross-border transfers.
5.3. Your personal data protection
We will take all necessary legal, organisational and technical measures to ensure your personal data security under applicable law. In particular, the School:
- appoints a person responsible for organising personal data processing and protection;
- establishes internal personal data protection rules including limitation of the access rights of our staff and authorised third parties to a necessary minimum;
- implements legal, organisational and technical protection measures in compliance with legal requirements, current data security threats and impact on you in case of potential security breach;
- trains its staff responsible for personal data processing to follow secure data processing rules and personal data processing requirements of the School and applicable laws;
- registers all operations with personal data and oversees compliance with and effectiveness of the established protection procedure;
- detects and investigates personal data security breaches and takes action to prevent and mitigate the impact of such incidents including, where necessary, recovering data where it is altered or destroyed.
5.4. The term of personal data processing
The School will be processing your personal data no longer than is necessary to fulfil the purpose they were collected. The personal data may be retained longer where law establishes other retention periods.
6. Updating, correction, deletion or destruction of personal data, responses to data subjects’ requests for access to personal data.
The School retains accurate personal data and updates them. You may request to delete, correct or amend your personal data if they are inaccurate or if you believe the School has no right to process them under applicable law. You may also request access to your personal data.
For more detail on how to file a request, see section “How to contact the School”.
The School will permanently destroy your personal data where it is established that the School does not have any legal grounds to process them, e.g., where the retention period has expired or where you have withdrawn your consent. The School will also ensure permanent destruction of your personal data by third parties processing your personal data under the School’s instructions.
7. How to contact the School
If you have any questions on how we apply, use, change or delete the personal data you provided to us or if you want to stop any further communication with the School, please contact us by sending a free-format message to the following email address: firstname.lastname@example.org.
Alternatively, you can send your message to email@example.com, to the attention of the Data Protection, Privacy and Compliance office responsible for organisation of personal data processing.
In all your correspondence with the School, please specify your first and last name, ID (if applicable), personal data processing circumstances that cause doubt or concern, and a detailed account of the matter. We will make all reasonable effort to handle your request promptly.
In some cases, to handle a request, we will need to identify the data subject who filed it. This may entail a personal visit of the data subject to the School and provision of an ID document and (or) preparation of a written request signed personally by the personal data subject or its legal representative.
8. How to learn about the changes in these procedures.
If the School makes changes to these procedures, the updated version will reflect all changes and we will notify you on them by updating the effective date of these procedures indicated on the title page. Without prejudice to your rights, under current legislation, we reserve the right to amend these procedures from time to time to reflect new technology, legal developments, new regulations and business practices.