Academy Privacy and GDPR Policy

Effective Date: 25.11.2025

Last Updated: 25.11.2025

Wheaton Online School (“Wheaton Online,” “we,” “our,” or “us”) is committed to ensuring that all personal data
collected from staff, pupils, parents, visitors, and other individuals is handled in compliance with Indian data protection laws. This Privacy Policy applies to all personal data, regardless of whether it is in digital or paper format.

1. Aims

This policy aims to:
1.1 Ensure that all personal information collected and processed by Wheaton Online School is handled in accordance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and other applicable data-protection requirements in India.

1.2 Maintain full transparency regarding the collection, use, storage, retention, and sharing of personal information.

1.3 Safeguard and uphold the rights of individuals concerning their personal information and its processing.

2. Legislation and Guidance

This policy aligns with the following legal and regulatory requirements:

2.1 The Information Technology Act, 2000

2.2 The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

2.3 The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

2.4 The Digital Personal Data Protection Act, 2023 (to the extent applicable and notified)

2.5 Any other applicable regulations or guidelines governing the protection of personal information and the management of student data in India

3. Definitions

Personal Data: Any information that can be used to identify an individual.
Special Categories of Personal Data: Sensitive information such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, genetics, and sexual orientation.
Processing: Any action performed on personal data, whether automated or manual.
Data Subject: The individual whose personal data is being processed.
Data Controller: The entity that determines the purpose and means of processing personal data.
Data Processor: A party that processes data on behalf of the Data Controller.
Personal Data Breach: A breach of security leading to accidental or unlawful loss, disclosure, alteration, or destruction of personal data.

4. The Data Controller

Wheaton Online School functions as the data fiduciary/data controller for the personal information it collects and processes. The school is responsible for ensuring compliance with the Information Technology Act, 2000, the relevant IT Rules, and applicable data-protection requirements in India. Wheaton Online School has designated a Data Protection Officer/Compliance Officer to oversee data-protection practices and ensure adherence to these legal obligations.

5. Roles and Responsibilities

5.1 Governing Body:
Responsible for ensuring that the school complies with applicable data-protection and information-security obligations under Indian law.

5.2 Data Protection / Compliance Unit:
Oversees the school’s data-protection strategy and implementation to ensure compliance with the Information Technology Act, 2000, relevant IT Rules, and other applicable regulations in India.
The Data Protection Officer/Compliance Officer is responsible for monitoring data-processing activities, advising on legal obligations, managing data-breach incidents, coordinating staff training, and serving as a point of contact for data-protection queries or concerns.
Contact: dpu@wheaton.online

5.3 School Administration / Principal:
Acts on behalf of the school’s data-fiduciary/data-controller role in day-to-day operations and ensures that data-handling practices within academic and administrative functions follow this policy.

5.4 All Staff:
Required to collect, access, store, handle, and process personal information strictly in accordance with this policy and to promptly report any actual or suspected data-breach incidents to the Data Protection Officer/Compliance Officer.

6. Data Protection Principles

All personal data must adhere to the following principles:

6.1 Lawfulness, Fairness, and Transparency: Data must be processed legally, fairly, and in a transparent manner.

6.2 Purpose Limitation: Data should only be collected for specific, explicit, and legitimate purposes.

6.3 Data Minimization: Only the necessary amount of personal data should be collected and processed.

6.4 Accuracy: Data must be kept accurate and up to date, with necessary measures to correct or delete inaccuracies.

6.5 Storage Limitation: Personal data should not be retained longer than required for its intended purpose.

6.6 Integrity and Confidentiality: Appropriate security measures should be in place to protect personal data from unauthorized or unlawful processing, accidental loss, destruction, or damage.

7. Collecting Personal Data

7.1 Types of Information Collected: We collect personal information about pupils, parents, staff, and other stakeholders during admissions and throughout service delivery. This may also include data from previous schools, local authorities, and regulatory bodies.

7.2 Categories of Personal Data: We obtain and process the following categories of personal information:

• Contact details (name, email address, postal address, telephone number)
• Date of birth
• Characteristics (ethnic background, additional educational needs)
• Identification proof
• Financial information (bank details)
• Academic records (test and examination results)
• Support details (plans and support providers)
• Behavioural records
• Attendance records
• Safeguarding information
• Health information
• References from previous schools or education providers
• References given to future schools or education providers
• Correspondence between the school and pupils/parents

7.3 Lawfulness, Fairness, and Transparency: We process personal data in accordance with the following legal bases:

• To pursue legitimate interests of the school or a third party, provided these interests do not override the rights and freedoms of the individual.
• To comply with a legal obligation.
• To safeguard the vital interests of the individual or another person.
• To fulfill a contract with the individual or to take steps at their request prior to entering into a contract.
• To carry out a task in the public interest or in the exercise of official authority.
• With the explicit consent of the individual.

8. Sharing Personal Data

We share personal information only when it is necessary for operational, administrative, or legal purposes and only with appropriate safeguards in place to ensure compliance with applicable Indian data-protection laws. Personal information may be shared in the following circumstances:

• With staff and teachers, for the effective delivery of educational services, administration, and school-related activities.

   

• With regulatory or recognised academic bodies, such as education boards, accreditation bodies, or statutory authorities, as required for compliance, curriculum fulfilment, examinations, or institutional evaluation.

   

• With government authorities, including law enforcement agencies or other competent authorities, when legally mandated under applicable Indian laws.

   

• With authorised third-party service providers, such as IT and technology vendors, learning management systems, assessment tools, payment gateways, and communication platforms, strictly under confidentiality obligations and data-protection requirements.

   

• With other educational institutions or examination boards, where necessary for academic transfers, certification, assessments, or continuation of education.

   

• In emergency situations, with relevant emergency services or authorities, when required to protect the safety, security, or well-being of students, parents, or staff.

   

Wheaton Online School does not share personal information with advertisers, nor does it sell or trade personal data to any organisation for marketing or promotional purposes.

All third parties handling personal information on behalf of Wheaton Online School are required to comply with Indian data-protection laws and follow reasonable security practices and procedures.

9. Subject Access Requests and Other Rights

Individuals have the right to:

• Access their personal information held by Wheaton Online School.

   

• Request correction or updating of inaccurate or incomplete personal information.

   

• Request deletion or erasure of personal information, where permissible under applicable Indian laws.

   

• Restrict or object to the processing of their personal information, where such rights apply.

   

• Withdraw consent at any time, where processing is based on consent (without affecting the legality of processing before withdrawal).

   

• Request the transfer or portability of their personal data to another institution or service provider, where feasible and applicable under Indian regulations.

   

• Raise concerns or file complaints with the designated Data Protection Officer/Compliance Officer of Wheaton Online School if they believe their data rights have been violated.

   

• If required, individuals may also lodge a complaint with appropriate statutory or regulatory authorities empowered under Indian law.

   

All requests must be submitted to the Data Protection / Compliance Unit.
All staff members must promptly forward any such requests they receive to the Data Protection Officer/Compliance Officer for appropriate handling and timely response.

10. Parental Requests for Access to the Educational Record

Parents have the right to request access to their child’s educational record. All requests must be submitted in writing and will be processed within two working weeks.

11. Data Security and Record Storage

Personal data is safeguarded through encryption and password-protected systems. Data is retained in accordance with the school’s retention schedule and securely disposed of once it is no longer required.

12. Personal Data Breaches

The Data Protection Officer/Compliance Officer is responsible for documenting, investigating, and managing any data-breach incidents. Where required under applicable Indian laws, the Data Protection Officer/Compliance Officer will report the breach to the relevant authorities and ensure that affected individuals are notified in a timely and appropriate manner.

In India, data-breach reporting may be made to:

• Indian Computer Emergency Response Team (CERT-In)

   

  • Website: https://www.cert-in.org.in

     

  • Email: incident@cert-in.org.in

     

  • Role: National nodal agency responsible for cybersecurity incident reporting and coordination.

     

Depending on the nature of the breach and applicable legal obligations, additional authorities may be notified as required by Indian law.

13. Photographs and Videos

We obtain written consent before using photos or videos for promotional purposes. Consent can be withdrawn at any time.

14. Data Protection by Design and Default

We ensure compliance by:

Conducting data protection impact assessments.

Training staff on data protection responsibilities.

Keeping detailed records of processing activities.

15. Training

All staff and governors receive mandatory data protection training during induction and ongoing professional development.

16. Monitoring and Review

This policy is reviewed annually by the Data Protection Officer/Compliance Officer to ensure continued alignment with applicable Indian laws, regulatory updates, and best practices in data protection and information security.

17. Contact Us

For any data protection concerns, contact:

Wheaton Online School

Email: dpu@wheaton.online

Address: WB, India

By using our services, you agree to this Privacy Policy.