Comprehensive Data Privacy & Protection Policy

1. Introduction and Scope of Policy

CJ Schools Limited (trading and operating as "CJ Schools Modern Montessori Education Centre", "CJ Schools", "the School", "we", "us", or "our") recognizes that the privacy and security of personal information is a fundamental human right. In the digital age, where data is processed at an unprecedented scale, we are dedicated to maintaining the highest standards of data protection for our entire school community.

This Comprehensive Privacy Policy serves as the definitive document outlining how we handle personal data. It is drafted in strict compliance with the Data Protection Act, 2012 (Act 843) of the Republic of Ghana. Furthermore, acknowledging our international standing and the diverse backgrounds of our families (including those who may reside in or originate from the United Kingdom or the European Union), we have aligned our practices with the principles of the UK General Data Protection Regulation (UK GDPR) and the EU GDPR where applicable.

1.1 Who This Policy Applies To

This policy is expansive and covers all individuals ("Data Subjects") whose personal data interacts with our systems. This includes, but is not limited to:

• Current Pupils: Children currently enrolled in any of our programs (Creche, Nursery, Kindergarten, Primary, JHS).
• Prospective Pupils: Children whose parents have inquired about admission or submitted application forms.
• Alumni/Past Pupils: Former students for whom we retain historical records.
• Parents and Legal Guardians: The biological parents, foster parents, or legally appointed guardians responsible for pupils.
• Emergency Contacts: Individuals nominated by parents to be contacted in emergencies.
• Staff Members: All teaching and non-teaching staff, administrators, auxiliary workers, security personnel, and interns.
• Contractors and Third Parties: External service providers, extracurricular instructors, and suppliers.
• Website Visitors: Users accessing our digital platforms, social media pages, and online portals.

1.2 Scope of Operations

This policy applies to all data processing activities across all physical and digital locations of CJ Schools, specifically including our established campuses:

• Kotobabi Branch (Main Office): Located at Gbon Lane, opposite Sidi Star Guest House, Accra.
• Tantra Hills Branch: Serving the Tantra Hills community and environs.
• Adenta Branch: Serving the Adenta community and environs.

2. Key Definitions and Terminology

To ensure transparency and clarity, we define the following terms as used within this document, consistent with Act 843 and international standards:

• "Personal Data": Any information relating to an identified or identifiable natural person. This includes names, ID numbers, location data, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
• "Special Category Data" (or Sensitive Personal Data): Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for ID purposes), and data concerning health or a person's sex life or sexual orientation. In a school context, this most frequently applies to medical records, dietary requirements (often linked to religion or health), and safeguarding information.
• "Processing": Any operation or set of operations performed on personal data, whether or not by automated means. This includes collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Data Controller": The legal entity which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this policy, the Data Controller is CJ Schools Limited.
• "Data Processor": A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller (e.g., our payroll software provider or cloud storage host).
• "Consent": Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

3. Identity of the Data Controller

CJ Schools Limited is the primary Data Controller for all personal data processed within the school's ecosystem. We are responsible for deciding how and why your data is used and for ensuring it is handled safely and legally.

Data Protection Officer / Lead

We have appointed a dedicated point of contact for data protection issues. If you have any concerns about how your data is being handled, or if you wish to exercise your legal rights, you should contact:

4. Comprehensive List of Data We Collect

We collect and process a wide range of personal data to effectively manage the school and provide education. This data is categorized as follows:

4.1 Pupil Information

• Personal Identifiers: Full legal name, preferred name, date of birth, gender, nationality, unique pupil number (UPN), and passport/national ID details (where applicable for exams).
• Contact Information: Home address, previous addresses.
• Academic Data: Previous school records, assessment reports, exam results (internal and external, e.g., BECE, Cambridge Checkpoint), attendance records, disciplinary records, and awards/achievements.
• Special Category (Sensitive) Data:
  • Medical information: Allergies, dietary restrictions, medication requirements, immunization status, physical or mental health conditions.
  • Special Educational Needs (SEN): Psychological assessments, Individual Education Plans (IEPs), and details of learning support required.
  • Safeguarding information: Court orders, child protection plans, or sensitive correspondence regarding family circumstances.
  • Biometric data: (If applicable, e.g., for library or cafeteria access systems, though strictly regulated).
  • Religious background: (Voluntarily provided for statistical purposes or religious education exemptions).

4.2 Parent and Guardian Information

• Identity Data: Full names, titles, marital status, relationship to the child, nationality, and occupation.
• Contact Data: Home addresses, telephone numbers (mobile, home, work), and personal/work email addresses.
• Financial Data: Bank account details (for refunds or standing orders), mobile money numbers, payment history, fee status, and details regarding financial assistance or scholarships.
• Identification Documents: Copies of ID cards or passports used for verification during enrollment or pickup authorization.

4.3 Emergency Contact Information

We collect names, telephone numbers, and relationship details of third parties nominated by parents to be contacted if the parent is unavailable during an emergency.

4.4 Staff and Applicant Information

• Recruitment Data: CVs, application forms, cover letters, interview notes, reference letters, and academic certificates.
• Employment Data: Contract details, start dates, role descriptions, performance appraisals, disciplinary records, and training records.
• Financial Data: Social Security and National Insurance Trust (SSNIT) numbers, bank account details, tax identification numbers (TIN/Ghana Card), and salary information.
• Background Checks: Criminal record checks and police clearance certificates as required by law for those working with children.

4.5 Technical and Digital Data

• Website Usage: IP addresses, browser types, device information, operating system, time zone settings, and navigation paths through our website.
• CCTV Footage: Video images recorded by security cameras located at the gates, perimeters, and common areas of all CJ Schools branches (Kotobabi, Tantra Hills, Adenta).
• Photography and Video: Images and recordings of students and staff participating in school activities, sports days, graduations, and classroom learning.

5. How We Collect Your Data

We use different methods to collect data from and about you, including:

5.1 Direct Interactions

You may give us your identity, contact, and financial data by filling in forms or by corresponding with us by post, phone, email, or otherwise. This includes personal data you provide when you:

• Apply for admission for your child;
• Complete enrollment and medical forms;
• Create an account on our online learning platforms;
• Subscribe to our publications or newsletters;
• Request marketing or promotional materials to be sent to you;
• Enter a competition, promotion, or survey; or
• Give us feedback or contact us.

5.2 Automated Technologies or Interactions

As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies, server logs, and other similar technologies.

5.3 Third Parties or Publicly Available Sources

We may receive personal data about you from various third parties and public sources as set out below:

• Previous Schools: Transfer files, Common Transfer Files (CTF), and academic records from the child's previous educational institution.
• Medical Professionals: Reports from doctors, psychologists, or therapists (with your consent).
• Government Bodies: Data from the Ghana Education Service (GES) or West African Examinations Council (WAEC).
• Background Check Providers: Police clearance for staff.

6. Purposes of Data Processing

We process personal data for specific, explicit, and legitimate purposes. We do not process data in a manner that is incompatible with these purposes. The core purposes include:

6.1 Educational Delivery

• To support pupil learning and deliver the Montessori and Cambridge curricula effectively.
• To monitor and report on pupil progress (report cards, transcripts).
• To provide appropriate pastoral care and support for social-emotional development.
• To assess the quality of our services and teaching standards.
• To register students for external examinations (e.g., BECE, Cambridge International Exams).

6.2 School Administration

• To process admissions and manage waiting lists.
• To maintain accurate student records and registers.
• To manage fees, billing, invoices, and debt recovery.
• To manage human resources, including staff recruitment, payroll, and appraisals.
• To communicate with parents and guardians regarding school events, closures, and updates.

6.3 Health, Safety, and Welfare

• To ensure the safety of students (e.g., managing allergies, dietary needs).
• To provide first aid and emergency medical assistance.
• To comply with child protection and safeguarding legislation.
• To maintain site security via CCTV monitoring and visitor logs.

6.4 Marketing and Community

• To promote the school through the website, social media, and prospectuses (using photos/videos where consent is granted).
• To maintain relationships with the alumni community.
• To fundraise for school improvements.

7. Lawful Bases for Processing

Under the Data Protection Act, 2012 (Act 843) and GDPR, we must have a valid lawful basis for each processing activity. We rely on the following:

7.1 Contractual Obligation

This is the primary basis for most of our relationship with parents. When you enroll your child at CJ Schools, you enter into a contract with us. We need to process your data (and your child's data) to fulfill this contract—i.e., to educate your child and manage the payment of fees.

7.2 Legal Obligation

We are required by law to process certain data. For example, we must maintain an admission register, report certain data to the Ministry of Education/GES, comply with tax laws regarding staff salaries, and cooperate with law enforcement regarding safeguarding issues.

7.3 Legitimate Interests

We process data where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Examples include:

• Using CCTV for security.
• Sending routine school updates to parents.
• Taking photos for internal displays to celebrate student work.
• Analysing school performance data to improve teaching methods.

7.4 Consent

In specific circumstances, we will ask for your explicit consent before processing data. This generally applies to:

• Using photographs or videos of your child in public-facing marketing materials (website, social media, billboards).
• Sharing data with third parties not directly related to education.
• Sending third-party marketing communications.

Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw that consent at any time by contacting the school office or the Data Protection Lead.

7.5 Vital Interests

In extreme emergencies (e.g., a life-threatening medical incident), we may process personal data to protect the vital interests of the data subject or another person (e.g., sharing medical data with a paramedic).

8. Data Sharing and Third-Party Disclosure

We do not sell your personal data. However, we may share data with select third parties to facilitate school operations. We require all third parties to respect the security of your personal data and to treat it in accordance with the law.

8.1 Categories of Recipients

• Educational Authorities: Ghana Education Service (GES), Ministry of Education, WAEC, and Cambridge Assessment International Education (for exam registration and results).
• School Management Systems: Providers of our student information system (SIS) and learning management systems (LMS) used for grading, attendance, and parent portals.
• Financial Service Providers: Banks, mobile money operators, and payment gateways used to process fee payments.
• Professional Advisers: Lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services.
• Health and Social Welfare Organizations: Nurses, doctors, or social services where there is a welfare concern or medical need.
• Extracurricular Providers: Third-party companies running after-school clubs (e.g., swimming, taekwondo, music) who need registers and medical info.
• Communication Services: Bulk SMS providers and email marketing platforms (e.g., Mailchimp) used to send school announcements.

9. International Transfers of Data

CJ Schools is based in Ghana. However, some of our service providers (e.g., cloud storage, Cambridge Assessment) may be based outside of Ghana.

Whenever we transfer your personal data out of Ghana, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the relevant data protection authorities.
• Where we use certain service providers, we may use specific contracts (Standard Contractual Clauses) approved for use which give personal data the same protection it has in Ghana/UK/EU.

10. Data Security and Protection Measures

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. These measures include:

10.1 Technical Safeguards

• Encryption: Sensitive data is encrypted in transit and at rest where possible.
• Access Controls: Access to personal data is limited to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
• Firewalls and Antivirus: Our IT systems are protected by robust firewalls and anti-malware software.
• Backups: Regular data backups are performed to ensure data availability in case of technical failure.

10.2 Organizational Safeguards

• Staff Training: All staff undergo regular training on data protection and privacy.
• Paper Records: Physical files are stored in locked cabinets in secure offices with restricted access.
• Clean Desk Policy: Staff are encouraged to keep workspaces clear of sensitive documents when not in use.
• Incident Response: We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

11. Data Retention Policy

We will only retain your personal data for as long as strictly necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it, and the applicable legal requirements.

Specific Retention Examples:

• Student Academic Records (Transcripts): Retained indefinitely (or for a significant period like 50+ years) to allow former students to request records later in life.
• Admissions Files (Admitted): Retained for the duration of the student's enrollment plus a standard period (e.g., 6 years) after leaving.
• Admissions Files (Refused/Withdrawn): Retained for 1 year to handle any appeals or re-applications, then destroyed.
• Financial Records: Retained for 6 years from the end of the financial year to comply with tax and audit laws.
• CCTV Footage: Generally retained for 30 days on a rolling loop, unless required for an ongoing investigation.
• Staff Records: Retained for 6 years after employment ends, though summary data (dates of employment) may be kept longer for reference purposes.

12. Your Legal Rights

Under the Data Protection Act, 2012 (Act 843) and other applicable laws, you have specific rights regarding your personal data. You can exercise these rights free of charge (though we may charge a reasonable fee for unfounded or excessive requests).

12.1 The Right to Access

You have the right to request a copy of the personal data we hold about you (or your child). This is commonly known as a "Data Subject Access Request" (DSAR).

12.2 The Right to Rectification

You have the right to request correction of the personal data that we hold about you if it is inaccurate or incomplete. We encourage parents to keep their contact details updated via the school office.

12.3 The Right to Erasure ("Right to be Forgotten")

You have the right to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons (e.g., the legal requirement to keep attendance registers or financial records).

12.4 The Right to Restrict Processing

You have the right to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

12.5 The Right to Data Portability

You have the right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.

12.6 The Right to Object

You have the right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.

How to Exercise Your Rights

To exercise any of these rights, please submit a request in writing to the Data Protection Lead at cjsch2006@gmail.com. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

13. Cookies and Online Technologies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site.

What is a Cookie?

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive.

Types of Cookies We Use:

• Strictly Necessary Cookies: These are cookies that are required for the operation of our website (e.g., cookies that enable you to log into secure areas of our website like the parent portal).
• Analytical/Performance Cookies: They allow us to recognize and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works.
• Functionality Cookies: These are used to recognize you when you return to our website. This enables us to personalize our content for you and remember your preferences (for example, your choice of language or region).

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.

14. Contact Us and Complaints

We are here to help. If you have any questions about this privacy policy or our privacy practices, please contact us using the details below.