- Ahliah School is committed to protecting the privacy and security of personal information. Ahliah School is responsible for deciding how to hold and use personal information.
- Ahliah School may update this policy at any time and shall inform the concerned parties if any amendments will significantly affect the relevant parties’ rights.
- This policy applies to all students, former students, parents, former parents, BOT members/emeritus, donors, all personnel and former personnel and Ahliah School’s stakeholders’ personal information.
- Personal data, or personal information, is any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). It includes:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
- Date of birth
- Emergency contact information
- Parent/Guardian contact Information
- Visa, Nationality, criminal records and Identification Documents
- Bank account details
- Educational information (including copies of study documentation, certificates and other information included as part of the application process)
- Grades and Progression information
- Behavioral and Attendance information
- Footage and other information obtained through electronic means
- Fee payer information
- Cookies and data analytics information from our web pages
- Recordings of online classes/presentations
- Medical files and information
- “Special categories” are of more sensitive personal data, it is used where it is necessary for Ahliah School’s and individuals’ legitimate interests. Special categories require a higher level of protection and these data includes:
- The child protection concerns.
- Information about health, including any medical condition, health and sickness records.
- Information about criminal convictions and offences.
- To provide a framework for the collection and use of personal information shared with the school, in accordance with the Lebanese law and regulations.
Data Protection Principles
- All personal information that Ahliah holds shall be:
- Used lawfully, fairly and in a transparent way.
- Relevant and limited to specific identified purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes shared with the concerned parties.
- Kept securely.
Personal Information Collection
- Ahliah collects personal information about students, parents and personnel through the application process, either directly from the online application or through copies of documents directly provided by applicants.
- Ahliah collects additional information from third parties including former educational institutions.
The Use of Personal information
- Ahliah shall use personal information in the following circumstances:
- Making a decision about a student or personnel application
- Enrolling a student
- Recruiting personnel
- Complying with a legal obligation
- Providing students with the necessary study material required
- Administering agreements and making arrangements for the termination of the agreement
- Storing in the school management system
- Processing in accounting and auditing purposes
- Conducting performance reviews, managing performance and determining performance requirements
- Dealing with legal disputes involving students, personnel or accidents
- Managing sickness absence
- Complying with health and safety obligations
- Preventing fraud
- Ensuring compliance with our IT policies
- Ensuring network and information security, including preventing unauthorized access to Ahliah’s electronic communications systems and preventing malicious software distribution
- Conducting data analytics studies
- Monitoring equal opportunities
- Advertising purposes: All events, videos and pictures of school activities, commercials or documentaries, are used for ads on all school’s digital and social media platforms. The Communications Coordinator shall ensure consensus of the involved parties to process this data
Purpose of Data Collection
- If Ahliah needs to use personal information for an unrelated purpose, Ahliah shall notify the relevant parties.
Use of Particularly Sensitive Personal Information
- Ahliah shall process this type of information where it is needed in relation to legal claims or where it is needed to protect child’s/personnel interests.
- Ahliah shall use information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with policies, regulations and laws.
- Ahliah shall use information about physical or mental health, or disability status, to ensure compliance with the health and safety policy in the school, to assess fitness to study/work, to provide appropriate adjustments and to monitor and manage sickness/absence.
- Ahliah shall use information about national or ethnic origin, religion, to reach its mission in diversity and to ensure equal opportunity.
- Ahliah shall grant consent for data collection and processing.
- Ahliah shall not need consent to use special categories of personal information in accordance with written policy to carry out legal obligations or exercise specific rights.
- Ahliah shall use information relating to criminal convictions where the law permits. This data is generally processed for safeguarding purposes of children and of individuals.
Accessibility of Data
- The Principal shall review and approve the data accessibility plan.
- Data shall be accessible to Ahliah’s personnel on a need to know basis according to the data accessibility plan (appendix Accessibility plan).
- All the school’s databases are maintained and secured by the IT department.
- Ahliah shall share personal information with third parties where required by law
- Ahliah shall share personal information with third parties as required by law for the following purposes:
- Health Services
- Child Protection Services
- Insurance company
- Ahliah shall share personal information with third parties upon confirmation of third parties’ data protection policies:
- School Management system
- System Financial auditors
- Website host company
- The IT department shall develop and document third parties’ data protection agreements to ensure that third parties are prohibited to share Ahliah’s data (Appendix 1 Agreements and data security protocols of third parties)
A. School Management system
- The School Management System has two main core components, a local system which contains all the core business departments and settings for the Students Information System (SIS) and the other component is the online platform which is used by the students, parents, and teachers to access the grades, agenda, classes and for communication purposes.
- The School Management System data is stored locally on the Ahliah servers as well as on the cloud. The access to the server and the cloud is limited to the IT department. In any case of maintenance or update, the IT department shall give access to the school management system company and monitor the update and maintenance process.
- The online solution and mobile app communicate directly with the server where the data is shared and synced on daily basis. All data synced between the online system and the offline system is encrypted. The decryption key is only on the school management system online server.
B. Learning Management System
- The Learning Management System is used to host emails and end- to- end user applications. All emails are stored directly on the learning management system’s server and no data is stored locally.
- Each user has access to specific applications where s/he can use them on any device. The admin console for the learning management system is managed by the IT department, where new students or faculty members gets an email upon joining the school therefore access to all the applications mentioned above.
- The Learning Management System uses security end-to-end encryption and two-factors authentication to secure the emails and data sent or delivered through it. These applications communicate directly with the Learning Management System’s servers and nothing is synced or saved locally.
C. Local Server
- A server on the school campus is used to host our SIS and core Business software in addition to daily and archived data. Only Admins and Faculty members have access to the local servers and they authenticate locally with a username and password provided by the IT department. To manage files and folders on the server, specific security procedures relevant to departments have been developed to ensure accessibility to qualified personnel and ensure confidentiality.
- The Server is secured by two layers of security. First, is the local centralized Antivirus which protects the data from viruses and malware and unauthenticated users, and second, is a local firewall that protects the whole infrastructure from Distributed Denial of Services (DDoS) attack and or hack.
D. Cloud Backup
- The data is backed up daily to a cloud solution back up (Acronis). On daily basis, our servers sync automatically with Ahliah’s cloud server to synchronize the changed data and to protect it. In terms of security, each data file/folder uploaded to the cloud is using an encryption key provided by the Acronis server, where only Acronis can decrypt the data. This means no man-in-the-middle attack can reveal Ahliah’s data during the sync period as everything is encrypted.
- When the data is on the school cloud solution back up, their servers decrypt the data and save it on their servers
- The IT department shall have access to the cloud solution for a daily checkup on the backup and maintenance of the whole solution.
- Ahliah shall retain personal information for as long as is necessary either to fulfill the purposes Ahliah’s collected the data for or to satisfy any legal, accounting, or reporting requirements.
- All records containing personal information, or sensitive policy information should be made either unreadable or unreconstructable.
- The school Business Office shall maintain a list of records which have been destroyed and the person who authorized their destruction. The Business Office staff shall record the following:
- File title (or brief description);
- Number of files
- The name of the authorizing Head of division/department
- Date action taken