WHO WE ARE
Concord College, Acton Burnell Hall, Acton Burnell, Shrewsbury, Shropshire, SY5 7PF, England is the name of the school acting as the Data Controller with responsibility for the confidentiality, integrity and availability of personal data. The College has appointed the Assistant Bursar (Finance and Operations) as the Data Protection Officer.
- any contract between the College and its staff or the parents of students;
- the College’s policy on taking, storing and using images of children;
- the College’s CCTV policy;
- the College’s data retention policy;
- the College’s safeguarding, pastoral, or health and safety policies, including as to how concerns or incidents are recorded; and
- the College’s IT policies, including its Acceptable Use policy.
RESPONSIBILITY FOR DATA PROTECTION
The Data Protection Officer will deal with all requests and enquiries concerning the College’s uses of personal data (see section on Your Rights below) and will endeavour to ensure that all
personal data is processed in compliance with this policy and Data Protection Law. The Data Protection Officer can be contacted on +44 (0) 1694 731 836 or by the following email address:
WHY THE COLLEGE NEEDS TO PROCESS PERSONAL DATA
In order to carry out its ordinary duties to staff, agency workers, students, parents and visitors, the College may process a wide range of personal data about individuals (including current,
past and prospective staff, students or parents) as part of its daily operation. The College will need to process data in order to fulfil its legal rights, duties or obligations – including those under a contract with its staff, or the parents of its students. Other uses of personal data will be made in accordance with the College’s legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impacton individuals and provided it does not involve special category or sensitive types of data.
The College expects that the following uses may fall within that category of its (or its community’s) “legitimate interests”:
- for the purposes of student selection and to confirm the identity of prospective students and their parents;
- to provide education services, including musical education, physical training or spiritual development, career services, and extra-curricular activities to students, and
monitoring students’ progress and educational needs;
- maintaining relationships with alumni and the College community, including direct marketing or fundraising activities;
- for the purposes of donor due diligence and to confirm the identity of prospective donors and their backgrounds;
- for the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law, such as diversity or gender pay gap analysis and taxation records;
- to enable relevant authorities to monitor the College’s performance and to intervene or assist with incidents as appropriate;
- to give and receive information and references about past, current and prospective students, including that relating to outstanding fees or payment history, to/from any educational institution that the student attended or where it is proposed they attend; and to provide references to potential employers;
- to enable students to take part in national or other assessments, and to publish the results of public examinations or other achievements of students of the College;
- to safeguard students’ welfare and provide appropriate pastoral care;
- to monitor (as appropriate) use of the College’s IT and communications systems in accordance with the College’s ICT Acceptable Use Policy;
- to make use of photographic images of students in College publications on the College website and on the College’s social media channels in accordance with the College’s policy on taking, storing and using images of children;
- for security purposes, including CCTV, in accordance with the College’s CCTV policy;
- where otherwise reasonably necessary for the College’s purposes, including to obtain appropriate professional advice and insurance for the College;
- to coordinate a maintenance programme for the premises of the College in line with the timetables of students to cause minimum disruption to classes;
- to verify vehicle categories and to observe any penalty points of College drivers so that appropriate insurance arrangements can be made.
In addition, the College may need to process special category personal data (concerning health, ethnicity, religion or sexual life) or criminal records information (such as when carrying out Disclosure and Barring Service (DBS) checks) in accordance with rights or duties imposed on it by law, including as regards safeguarding and employment, or from time to time by explicit consent where required. These reasons may include:
- to safeguard students’ welfare and provide appropriate pastoral and, where necessary, medical care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual’s medical condition where it is in the individual’s interests to do so: for example for medical advice, to social services, for insurance purposes or to organisers of College trips;
- to determine student location data by using location information supplied by student mobile devices for use in the event of emergencies so that appropriate immediate action and advice can be provided;
- to provide educational services in the context of any special educational needs of a student;
- to provide Personal, Health, Social and Economic (PSHE) education in the context of any religious beliefs;
- in connection with employment of its staff, for example DBS checks, health, welfare or pension plans;
- for legal and regulatory purposes, for example child protection, diversity monitoring and health and safety and to comply with its legal obligations and duties of care.
TYPES OF PERSONAL DATA PROCESSED BY THE COLLEGE
This will include by way of example:
- names, addresses, telephone numbers, e-mail addresses and other contact details;
- information relating to recruitment checks such as qualifications, references, DBS checks;
- vehicle details (regarding those who use our car parking facilities and Automatic Number Plate Recognition (ANPR) access control system);
- bank details and other financial information, for example, regarding parents who pay fees to the College, the payment of salaries to staff and the payment of expenses to visitors;
- past, present and prospective students’ academic, disciplinary, admissions and attendance records including information about any special needs, examination scripts and marks;
- where appropriate, information about an individual’s health, visa and passport data and contact details for their next of kin;
- references given or received by the College about students and information provided by previous educational establishments and/or other professionals or organisations working with students, and
- images of students (and occasionally other individuals) engaging in College activities, and images captured by the College’s CCTV system in accordance with the College’s policy on taking, storing and using images of children.
HOW THE COLLEGE COLLECTS DATA
Generally, the College receives personal data from the individual directly including, in the case of students, from their parents. This may be via a form, or simply in the ordinary course of interaction or communication such as e-mail or written assessments. However, in some cases personal data may be supplied by third parties, for example, another College, education agency, employment agency, or other professionals or authorities working with that individual, or collected from publicly available resources.
WHO HAS ACCESS TO PERSONAL DATA AND WHO THE COLLEGE SHARES IT WITH
Occasionally, the College will need to share personal information relating to its community with third parties, such as professional advisers, for example, lawyers and accountants or relevant authorities such as HMRC, the police or a local authority. For the most part, personal data collected by the College will remain within the College and will be processed by appropriate individuals only in accordance with access protocols (i.e. on a ‘need to know’ basis). Particularly strict rules of access apply in the context of:
- medical records held and accessed only by the College Senior Nurse and appropriate medical staff under his/her supervision, or otherwise in accordance with express consent;
- pastoral or safeguarding files, and
- financial records of parents in respect of bursary applications.
However, a certain amount of any relevant student’s special educational needs information will need to be provided to staff more widely in the context of providing the necessary care and education that the student requires.
Staff, students and parents are reminded that the College is under duties imposed by law and statutory guidance including Keeping Children Safe in Education (KCSIE) to record or report incidents and concerns that arise or are reported to it, in some cases regardless of whether they are proven, if they meet a certain threshold of seriousness in their nature or regularity. This may include file notes on personnel or safeguarding files, and in some cases referrals to relevant authorities such as the Local Authority Designated Officer (LADO) or police. For further information about this, please view the College’s Safeguarding Policy.
The College uses a central system to collate any low level concerns from pastoral and teaching staff. This information is drawn from confidential College e-mails and may include details on
attendance, academic progress, student conduct and wellbeing. This information is kept secure through password protection and is stored locally on the College network. This information is never transferred to anyone outside the College other than on legal grounds.
Finally, in accordance with Data Protection Law, some of the College’s processing activity is carried out on its behalf by third parties, such as IT systems, web development or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the College’s specific directions.
HOW LONG WE KEEP PERSONAL DATA
The College will retain personal data securely and only in line with the length it is necessary to keep it for a legitimate and lawful reason. Typically, the College will retain ordinary student files is up to 8 years following departure from the College and 10 years for ordinary staff files. However, incident reports and safeguarding files will need to be kept much longer, in accordance with specific legal requirements. For any specific queries about how this policy is applied, or for requests that personal data no longer believed to be relevant is considered for erasure, please contact the Data Protection Officer. However, please bear in mind that the College may have lawful and necessary reasons to retain some data. In general, the following information type will be subject to the corresponding retention period:
- Admissions information including application forms, assessments and records of decisions. This information will be retained for 8 years from the date the student leaves the College (or, if a child is not admitted for any reason, up to 2 years from that decision).
- Student files including personal details, academic reports, performance records and medical records. This information will be retained for 8 years from the date the student leaves the College (subject where relevant to safeguarding considerations). Any material which may be relevant to potential claims will be kept for the lifetime of the student.
- Examination results (external or internal). This information will be retained indefinitely.
- Special educational needs records. Typically, this information will be retained for up to 35 years from date of birth although the retention requirements will be set on a case by case basis.
Financial details will be retained for 15 years from the end of the financial year in which the transaction took place. The financial year is 1 September to 31 August.
KEEPING IN TOUCH AND SUPPORTING THE COLLEGE
The College will use the contact details of parents, alumni and other members of the College community to keep them updated about the activities of the College, or alumni and parent events of interest, including the sending of updates and newsletters by e-mail and by post. Unless the relevant individual objects, the College may also:
- share personal data about parents and/or alumni, as appropriate, with organisations set up to help establish and maintain relationships with the College community, such as the alumni association;
- contact parents and/or alumni by post and e-mail in order to promote and raise funds for the College;
- should an individual wish to limit or object to any such use, or would like further information about this, please contact the Data Protection Officer. Individuals always have the right to withdraw consent, where given, or otherwise object to direct marketing or fundraising. However, the College may need nonetheless to retain some of your details, not least to ensure that no more communications are sent to that particular address, email or telephone number.
Individuals have various rights under Data Protection Law to access and understand personal data about them which is held by the College, and in some cases ask for it to be erased or amended or for the College to stop processing it, but subject to certain exemptions and limitations.
Any individual wishing to access or amend their personal data, or wishing for it to be transferred to another person or organisation, should put their request in writing to the Data Protection Officer.
The College will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month in the case of requests for access to information. The College will be able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, the College may ask an individual to reconsider or may charge a proportionate fee, but only where Data Protection Law allows it.
Certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal professional privilege. The College is also not required to disclose any student examination scripts, nor any confidential reference given by the College for the purposes of the education, training or employment of any individual.
Individuals have the “right to be forgotten”. However, the College will sometimes have compelling reasons to refuse specific requests to amend, delete or stop processing personal
Students can make subject access requests for their own personal data, provided that, in the reasonable opinion of the College, they have sufficient maturity to understand the request they are making (see section Whose Rights below). Indeed, while a person with parental responsibility will generally be expected to make a subject access request on behalf of younger students, the information in question is always considered to be the child’s at law. A student of any age may ask a parent or other representative to make a subject access request on his/her behalf and moreover (if of sufficient age) their consent or authority may need to be sought by the parent. Students aged 13 are generally assumed to have this level of maturity, although this will depend on both the child and the personal data requested, including any relevant circumstances at home. Children younger than 13 may be sufficiently mature to have a say in this decision. All subject access requests from students will therefore be considered on a case by case basis.
Where the College is relying on consent as a means to process personal data, any person may withdraw this consent at any time (subject to similar age considerations as above). Please be aware, however, that the College may have another lawful reason to process the personal data in question without consent.
Where the College has described its legitimate interests in processing personal data, individuals have the right to object to processing. Whilst the right to object to direct marketing is absolute, the onus is on the College to justify its legitimate interests in processing the data. Objections to data processing should be submitted to the Data Protection Officer. The College will carefully consider all objections to processing personal information.
Individuals also have the right to data portability and may request that their data is made available in a structured, commonly used and machine-readable format. The College will endeavour to do this within the limitations of its information systems.
The rights under Data Protection Law belong to the individual to whom the data relates, but the College may rely on parental consent to process personal data relating to students (if consent is required). However, given the nature of the processing in question, parents should be aware that in some situations, they may not be consulted. This will depend on the interests of the child, the student’s age and understanding, the parents’ rights at law or under their contract and all the circumstances.
In general, the College will assume that students’ consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the student’s activities, progress and behaviour and in the interests of the student’s welfare, unless, in the College’s opinion, there is a good reason to do otherwise.
However, where a student seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, the College may be under an obligation to maintain confidentiality unless, in the College’s opinion, there is a good reason to do otherwise, for example where the College believes disclosure will be in the best interests of the student or other students, or if required by law.
Students are required to respect the personal data and privacy of others and to comply with the College’s Acceptable Use Policy and the College rules. Staff are expected to respect personal data and the privacy of others in a similar way.
DATA ACCURACY AND SECURITY
The College will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must notify the College of any changes to information held about them. An individual has the right to request that any inaccurate or out-of-date information about them is erased or corrected subject to certain exemptions and limitations under Data Protection Law.
QUERIES AND COMPLAINTS
If an individual believes that the College has not complied with this policy or acted otherwise than in accordance with Data Protection Law, they should utilise the College’s complaints procedure and should also notify the Data Protection Officer. The individual also has the right to make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO).
However, the ICO recommends that steps are taken to resolve matters between the parties before involving the regulator.