List of active policies

Name Type User consent
Data Protection Policy Privacy policy All users

Summary

Please take a minute to review our policy and then hit next at the bottom of the page. On the following page you will need to consent before using the site.

The College collects data and processes information for the purpose of operating the educational activities of the College, in order to administer its operation, secure funding, assess the performance of the College, recruit and employ staff, operate Safeguarding (including Child Protection) procedures, and administer the College as a whole.

 

The College is registered with the Information Commissioner’s Office. The registration notice outlines how personal data is collected and processed. The College is also subject to the Privacy and Electronic Communications (EC Directive) Regulations 2003, and consideration for this is included in this policy.

 

While the College is also subject to The Freedom of Information Act 2000, Data Protection is paramount. However, it also has a Duty of Care under the Children Act 2004, and must comply with the Counter-Terrorism and Security Act 2015 and Investigatory Powers Act 2016, in relation to its recording and retention of personal information. The Data Protection Act (2018) controls how personal information is used by organisations.  The General Data Protection Regulation (GDPR) requires everyone to be responsible for using data to follow ‘data protection principles’.

Full policy

Data Protection Policy

 

Approved by the Academy Trust July 2018

 

Contents

Introduction. 3

What is Personal Information?. 3

The Principles of the General Data Protection Regulations. 3

Data Protection Privacy Notice. 4

Responsibilities: Students. 5

Rights to Information being Correct. 6

Right to Erasure. 6

Subject Consent. 6

Sensitive Information. 7

Police and Local Authority Access to Personal Information. 7

CCTV images. 7

High risk activity – Data Protection Impact Assessments. 8

Retention of Data. 8

Compliance. 8

Complaints. 8

Appendix 1: Data Retention Schedule. 9

Appendix 2: Personal Information Asset Register. 10

Appendix 3: Additional Information. 14

Appendix 4: Mobile devices. 15

Appendix 5:  Transitional Arrangements 2018/19. 16

Appendix 6: Data Protection Impact Assessment Form.. 17

Appendix 7: Data Protection Privacy Notices. 18

 

 


Introduction

 

The College collects data and processes information for the purpose of operating the educational activities of the College, in order to administer its operation, secure funding, assess the performance of the College, recruit and employ staff, operate Safeguarding (including Child Protection) procedures, and administer the College as a whole.

 

The College is registered with the Information Commissioner’s Office. The registration notice outlines how personal data is collected and processed. The College is also subject to the Privacy and Electronic Communications (EC Directive) Regulations 2003, and consideration for this is included in this policy.

 

While the College is also subject to The Freedom of Information Act 2000, Data Protection is paramount. However, it also has a Duty of Care under the Children Act 2004, and must comply with the Counter-Terrorism and Security Act 2015 and Investigatory Powers Act 2016, in relation to its recording and retention of personal information. The Data Protection Act (2018) controls how personal information is used by organisations.  The General Data Protection Regulation (GDPR) requires everyone to be responsible for using data to follow ‘data protection principles’.

What is Personal Information?

Personal information is anything which can be identified with an individual and is personal to them. For example, a person’s date of birth, performance, image, contact or financial details would be considered personal information.

 

The Principles of the General Data Protection Regulations

Personal information should be:

 

 (a) processed lawfully, fairly and in a transparent manner in relation to individuals;

 

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

 

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

 

(d) accurate and every reasonable step must be taken to ensure that any personal data that is inaccurate is erased or rectified without delay;

 

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;

 

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. [1]

 

Aims and Objectives

 

The aim of this Policy is to ensure that any processing of personal data complies with the Data Protection Act and GDPR regulations.

 

All students, staff and other users are entitled to:

  • know what information the College holds about them and why
  • know how to gain access to it
  • know how to keep it up to date and accurate
  • know what the College is doing to comply and demonstrate its obligations under the Data Protection Act (2018)

 

Personal Information Processing by, and on behalf of the College

 

The College uses personal information to assess the performance of individual students and statistical cohorts of students with various characteristics, which may include personal information. In some cases, this analysis may be contracted to companies or organisations.  Such analysis must not be disclosed to a third-party, or indeed publicly released, where the nature of any particular characteristic means that any individual can be uniquely identified.

 

The College may, occasionally, seek assistance from companies for specific purposes, such as tracking destinations of students, or providing training to staff. Only the minimum information needed for this purpose will be disclosed and appropriate agreements must be in place to ensure Data Protection.

 

In no case will the College process personal information in a manner which is detrimental to the student. Automated decision-making processes may be used where they are innocuous, for example using a student’s previous school or the distance from a home address to provide an order in which students are invited to enrol. No automated process will be used to decide whether an applicant is accepted for a place at College, nor their academic programme.

 

Personal information may not be sold or passed on to any other organisation for financial gain. Personal information may be passed to the Police on receipt of a formal request.

Data Protection Privacy Notice

 

The College will provide all students, staff, trustees and other stakeholders, via a data protection privacy notice, how their data will be held and processed according to this policy. 

 

Applicants are provided with a data protection privacy notice describing how their information will be used during the Application process. This provides consent for their data to be stored while their application is being completed, in order to facilitate the College assisting with that application.

 

Before Applicants submit their full and final application they must positively agree to the privacy notice that applies to all Godalming College students, otherwise the application cannot be processed.

 

The notices also remind staff and students that it is their responsibility to update the College (normally via Student Reception or the Personnel team), should their personal information change.

 

Responsibilities: Staff

 

In the course of their work, staff will often use information about students, colleagues, applicants, or other data subjects and as such can be described as ‘processing personal data’ on behalf of the Data Controller.

 

In this capacity, staff must:

  • Only collect or access information which is relevant and necessary to their role, and not attempt to access any information to which they are not entitled.
  • Ensure any personal data they hold is kept securely to prevent access by others.
  • Ensure that it is kept in a structured system (either on paper or electronically) in order that it can be retrieved if required.
  • Ensure that personal information is not disclosed, accidentally or otherwise, to any unauthorised third-party.
  • Destroy personal data once the purpose for which it was collected has passed.

 

The College has a central database system, known as the College Information System (CIS), which provides for a secure, encrypted system with appropriate access controls.

 

However, personal information may need to be extracted from CIS for various reasons (such as Trip Contact Sheets, Value Added calculations, references or other records). This extracted information must be kept securely, and destroyed once its use is complete. In any case, the primary record must be maintained in the College’s database.

 

On-site College systems are secured by strong passwords and encryption, and may only be accessed by authorised staff in order to execute their duties.

 

In the case of information relating to Safeguarding, additional security measures such as two-factor-authentication are required.

 

Where information is passed to another body or agent of the College for further processing, it must be within the context of this policy.

Responsibilities: Students

 

Students must ensure that all personal data provided to the College is accurate and up to date.  They must ensure that changes of personal details are notified to Student Reception who will ensure that these are updated on our CIS system.

 

Students must comply with this policy as part of the Student Contract.

 

Responsibilities: The Data Controller

 

Godalming College is the Data Controller in relation to its activities under the General Data Protection Regulations and subsequent legislation. The Academy Trust is ultimately responsible for the College’s compliance and implementation of the Regulations. The Data Protection Officer reports directly to the Principal for Data Protection matters.  Responsibility for liaison with the Information Commissioner’s Office, and advising the Senior Management Team on Data Protection matters lies with the Head of ILT Services. This role is also designated the Data Protection Officer.

 

Responsibility for administering ‘subject access’ is managed by the Director of Services, who may delegate tasks relating to this matter, where appropriate.  This role is designated the Subject Access Controller.

 

Rights to Access Information

 

Students, staff and other users of the College have the right to access any personal data that is kept about them.

 

Some records held by the College are subject to the Education Records exemptions identified by the Information Commissioner’s office.  However, the College shall seek to minimise the records withheld to those which contain the opinion of another person – such as references, the details of disciplinary investigations, homework feedback, or the contents of internal emails. Further details are included in Appendix 2.

 

A Data Subject may formally exercise the right of Subject Access by submitting a request in writing which provides sufficient information to reasonably verify the identity of the requestor. The Subject’s personal information will normally be provided to them in an electronic format.

 

The College aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within one month, unless there is a good reason for the delay – in this case the data controller will inform the data subject of the reason for the delay.

 

If an individual makes a request which is deemed to be excessive or unfounded, the College may charge a fee commensurate with the cost, or refuse to provide the information requested.

Rights to Information being Correct

 

The College will amend its records as soon as practicable where it is notified by a Data Subject that information is incorrect. This can be done via the College’s Administration team or Personnel office.

Right to Erasure

 

The College is unable to exercise its legal duties unless personal information is retained, as set out in Appendix 1. The rights to erasure are set out in Data Protection Privacy Notices.   Peripheral systems such as the College’s mailing list, or Open Evening Registration, where there is no associated legal duty, provides the means for the recipient to remove themselves from the College’s data system.

Subject Consent

 

Data Subjects will have consented to their personal information being processed as part of the general administration of the College, as described to them in the Data Protection Privacy Notice. Any incomplete application, or an application where the Notice is not ‘accepted’ will not be subject to further processing by the College.

 

However, specific consent is required before information is released to a third-party, for example the publication of specific examination results in the media, or the use of a student’s image on the College website or external publication.

 

Sensitive Information

 

The College may process sensitive information about a person’s health, disabilities, criminal convictions, family details, race or gender in pursuit of the legitimate interests of the College.

 

This may include processing ‘suitability checks’ (such as with the Disclosure and Barring Service) where an individual will be working with young people or vulnerable adults.

 

The College asks applicants about any particular health needs from staff and students, such as allergies to particular medication, or medical conditions which may be relevant where First Aid may be required.

The College will only use this information to protect the health and safety of the individual, but may be reviewed by the Learning Support Manager in case of impact on the Teaching and Learning affecting the individual.   Trustees do not normally have access to personal information, except in relation to specific staffing or legal matters.  In such cases, the personal information will be treated under the terms of reference for the relevant committee or remit in relation to a particular College policy.

 

Police and Local Authority Access to Personal Information

 

Personal information about an individual may be disclosed to the Police when an officer has formally requested particular information as part of the data sharing agreement. Normally this request will be made in writing – but it is at the College’s discretion to assist the Police where a Student’s wellbeing is at risk. Any such request should be processed by the Head of Administration, a member of the Senior Management Team, or the Data Protection Officer.

 

No Sensitive information (as defined by the Data Protection Act) may be disclosed unless there is a documented reason and only with the specific authority of the Principal.

 

The College has a legal duty under the Children Act (2004) to inform the Local Authority where a child’s welfare is at risk. Where the Data Subject is under 18, the College does not require consent to inform the Local Authority where it has concerns. However, wherever possible, the Data Subject will be properly informed of the process, according to the College’s Safeguarding Policy.

 

The Local Authority also has a legal duty under the Education and Skills Act 2008 to monitor the participation of young people in education – the College may provide personal information to satisfy this legal duty.

 

CCTV images

 

The College site has a CCTV system in order to prevent and detect behaviour which is in breach of the Staff or Student Contract, as well as crime (including Trespass) committed on the campus.

 

The College does not use software to automatically identify individuals using biometric data, nor number plate recognition for personal vehicles. Therefore, images routinely captured and stored do not constitute personal information, but the data must be kept securely, and encrypted.

 

Direct access to live CCTV images is restricted only to Security staff. Images may be stored for up to 30 days, except where an incident has been detected where video clips or snapshots may be kept, and made available to appropriate staff, until the proceedings of any incident has been concluded.

 

Where an incident has been recorded, and the CCTV image has been captured in this way, it will form part of the personal information for those affected, and therefore is subject to Subject Access. Images will only be released where no other identifiable person is within the image.

 

Where a crime has been alleged to have been committed, the College may release images to the Police as part of their investigation as part of the data sharing agreement the College has with the Police.

High risk activity – Data Protection Impact Assessments

 

Any activity involving personal information which either uses new technologies, or presents a high risk to the rights and freedoms of individuals, is subject to a Data Protection Impact Assessment. This includes any new process where personal information is passed onto a 3rd party for further processing.

 

Any member of the College wishing to conduct such activity should consult the Data Protection Officer to determine whether a DPIA needs to be completed. Where a DPIA is completed, it shall be performed according to relevant guidance in place.

Retention of Data

 

The Act does not stipulate specific timeframes for retaining personal data, it only states that it should not be kept for longer than is necessary.  The College keeps different types of information for differing lengths of time, depending on legal, academic and operational requirements in keeping with the purpose of the data when it was collected. The schedule of retention is shown in Appendix 1.

Compliance

 

All staff, students, trustees, visiting or associate staff, contractors and other members of the College are required to comply with this Policy. Any breach of the Data Protection Policy may lead to disciplinary, and where appropriate, legal proceedings. Any questions or concerns about the interpretation or operation of this policy should be addressed to the Data Protection Officer, in the first instance.

 

Any suspected Data Security Breach should be reported immediately to the Data Protection Officer, who will evaluate whether a Breach has taken place. In the case of a Breach, it will be reported to the Information Commissioner in line with the relevant regulations in place. In the absence of the Data Protection Officer, the College Duty Manager shall take the action needed to report the Breach.

Complaints

 

Any complaint regarding Data Protection should be made, in the first instance, to the Data Protection Officer, whose email address is dpo@godalming.ac.uk.

 

If the complaint is not resolved by the College, it may be referred to the Information Commissioner’s office:

The Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Appendix 1: Data Retention Schedule  

 

 

Type of Record

Retention Period

Reason

Personnel files

 

 

Wages and Salary Records, notes of grievance and disciplinary hearings

 

6 years from the end of employment

 

 

10 years

Provision of references and limitation period for litigation

 

Taxes Management Act 1970

Records of counselling records held on the College site

Records are retained only for the duration of the counselling that is required by the individual

Providing ongoing care for student or staff

Staff application form and interview notes

6 months from date of interview date for unsuccessful candidates.

Application form retained with Personnel file for successful application.

Limitation period for litigation

Facts relating to redundancies

12 years from date of redundancies

Limitation period for litigation

Income Tax, Maternity Pay and Statutory Sick Pay records

7 years after the tax and financial year to which the records relate

Income Tax (Employment) Regulations 1993, Statutory Maternity Pay (General) Regulations 1986, Statutory Sick Pay (General) Regulations 1982

Accident records

3 years after Academic year to which the records relate

Management of Health and Safety

Health records

3 years from the end of employment

Subject Access,  limitation period for personal injury claims

Records kept in relation to the Control of Substances Hazardous to Health

40 years

COSHH regulations

Student Files, Performance Data, References etc

 

 

Virtual Learning Environment records

 

 

Computer usage logs/internet history

6 years from the end of the Academic Year to which the records relate

 

 

Within the current academic year only

 

One year

Subject Access, Job/Education references. Audit evidence for funding and performance data.

 

Operation of online learning environment

 

To ensure the College can comply with Prevent legislation

Basic student information sufficient only to confirm whether a student attended the College.

10 years from the end of the Academic Year to which the records relate – in electronic form only.

Provision of limited references for ex-students.

CCTV images

30 days unless a specific incident has occurred or the images have been identified as evidence for police intervention.

Investigation of alleged or suspected criminal activity or investigation of behaviour by students which contravenes policies relating to student behaviour

Staff personal network areas which may include personal information

1 year from date of leaving

Access to materials created by Staff member

Personal information relating to a student where a Safeguarding concern has been raised

Until the academic year following the individual’s 25th Birthday or 6 years after the latest contact with the student, whichever is the latest.

Sector guidelines, based on

Children Act 2004.

 

 

 

 

 


 

Appendix 2: Personal Information Asset Register

 

Students and applicants

 

Class of Information

Collection Method

Basis for processing

Included in Subject Access File?

External Processing Details

(Destination / reason)

Personal Contact details:

Name, Address, contact details, Parent contacts, previous school

Online Application Form (College Information System)

Funding regulations, college operations.

Yes

DfE / funding and quality

Alchemy (ALPS) / value added

6 Dimensions / value added

Exam Boards / exam entries

WisePay / online payments

Kerboodle / access to online course materials

UCAS / Exam Entries

Surrey Police / detection & prevention of crime (see policy)

Unifrog

 

Courses studied, start/end dates, Learning Aims and results

 

 

 

Attendance Marks including absence reasons, Benchmark Assessment grades

Enrolment discussions  (CIS)

 

 

 

 

 

Staff Registers, online markbook (CIS)

Student Contract/legal duty

Funding regulations

 

 

Funding regulations,

Educational activity

 

Yes

 

 

 

 

 

 

Yes

DfE / funding and quality

Alchemy (ALPS) / value added

Prev school / progression monitoring

6 Dimensions / value added

Exam boards / assessments

UCAS / Exam Entries

Unifrog

6 Dimensions / value-added calculations

 

Details about Learning Support, Learning Support Logs and details of exam arrangements

Details entered by Learning Support into CIS

Educational activity, college operations

Yes

Exam Boards / exam arrangements

DfE

Individual teacher markbook information and learning notes

Online markbook, spreadsheet or paper records depending on the teacher’s preference

Educational activity

Not paper records (Educational Records),

Official Coursework marks will be available for students to view from May 2018

n/a

Exam boards / exam marking

Internet useage logs

Firewall logs

 

College operations, detection of activity contrary to student contract

No, but can be requested separately if required.

n/a

Disciplinary records, Learning Plans (intervention), and Learning Support Logs, and records of 1:1 meetings. Details of official communication sent home from College which relate to disciplinary matters

Recorded via College Information System

Text of emails sent recorded via College Information System

Educational activity

Yes

 

 

Yes

No, except in the case where there is a Safeguarding concern (Local Authority)

References sent to Universities or employers

Entered directly into College Information System by staff

Student Contract

No, these are exempt.

University or Employer / reference

 

 

Parents/Carers

 

Class of Information

Collection Method

Basis for processing

Included in Subject Access File?

External Processing Details

(Destination / reason)

Personal details:

Name, Address, contact details, Parent contacts

Online Application Form (College Information System)

Educational Activity (Student Contract)

Yes – details of the parent are included, along with the name of the Student

n/a

List of financial transactions from the Parents’ Portal

Parents’ Portal

College operations

Yes

Sage Pay / payment processing

Contact details entered into Ticketsource

Booking software

Administration of College events

Information available from Ticketsource

n/a

 

Staff and Job Applicants

 

Class of Information

Collection Method

Basis for processing

Included in Subject Access File?

External Processing Details

(Destination / reason)

Personal Contact details:

Name, Address, contact details, absence records

Application forms

Staff contract, operations as an employer

Yes

DfE / workforce surveys

Surrey CC (Webcare) / payroll administration

 

Financial

Via Personnel

Payment of wages or reimburse expenses

Yes

Surrey CC/payroll/NI/LGPS/TPS contributions

Professional Review

Value-Added and results, notes of review conversations

Staff contract, performance monitoring as an employer

Is available via the College Information System

n/a

Payroll Records

 

College instruction via Contracts

Staff contract

No,  this information is held by Surrey Payroll Services, who provide this detail via an online Portal

Surrey CC / payroll processing

 

 

Trustees + Members of the Board of Trustees

 

Class of Information

Collection Method

Basis for processing

Included in Subject Access File?

External Processing Details

(Destination / reason)

Personal details:

Name, Address,

Directly from the individual

Administration of the Board Member’s official position

Yes.

Companies House / administration of the Trust

 

Register of Interests

Declaration of Interests form

XXXXX

 

 

 

 

 

 

 

 

 

 

Members of the Public

 

Class of Information

Collection Method

Basis for processing

Included in Subject Access File?

External Processing Details

(Destination / reason)

Name, email address, type of enquiry

 

Website collection form

Consent provided at data entry.

Yes

NB Right to removal of information applies

n/a


 

 

 

Appendix 3: Additional Information

In addition to the Data Protection Act, the College must comply with a number of other Acts of Parliament.  Practices in these areas are covered by other College Polices, which are available via the College website.

 

The other principal Act which relates to information is in the Freedom of Information Act – but relates to information about the College which is in the public interest and not personal information about individuals. This entitles a member of the public to request information about the College; the main categories of information are listed in a Publication Scheme. Details of how Godalming College manages its Freedom of Information requests are shown on the College website.

 

It is important to remember that the principles of Data Protection override any request for information under the banner of ‘Freedom of Information’. Personal information should never be disclosed to a Third Party. If you are in doubt as to what can be disclosed and in what form, you should consult the Data Protection Officer, or the Director of Services.

 

 

 

Appendix 4: Mobile devices

 

The College has several systems which enable members to connect their mobile device (e.g. iPhone,Blackberry, Android etc) to view email, calendar and contact information via a remote connection, or via the College Wifi. There are three main systems available:

  1. Web-based email – this uses the same security policies as from a laptop/home computer, or
  2. With a Partnership between the device and the College systems which synchronises email and calendar information which are then stored on the device, and can be accessed without re-connecting to the internet.
  3. Online College applications, running over an encrypted internet connection.

 

‘MyFiles’ and webmail give access to email and calendars, as well as files and folders without storing data on the device. Online systems use encrypted connections, and do not store information on the client device. These are therefore the most secure method of access.

 

A partnership involves the storage of information away from the College site (i.e. on the device) and therefore it is important that the College obtains assurance that the information will be kept securely. Therefore, for those who wish to create a partnership, before the facility is enabled, they must agree:

  • to keep their device safe, and that only they will use it (this may be of particular concern to those whose device may be shared with their family, such as with an iPad or tablet). Staff who share their device with others must not create a partnership.
  • that the device is managed by the College’s automatic security policies, which will enforce a number of settings, including:
    • That a complex password be used to access the device, and that it will need to be changed every 90 days
    • That a number of incorrect attempts to input the password will result in the device being wiped – in most cases to its factory state (dependent on the individual device). This will delete all information from the device – this is to minimise the risk of information stored in emails or calendar items being seen by someone other than that user.
    • That the device’s memory will be encrypted. The user will be responsible for any consequence of this, depending on what else they use their device for.
    • That the device ‘lock’ is automatically applied after a few minutes of inactivity.
    • The user must also immediately report to the ILT Services team if their device is lost or stolen – a remote wipe can be carried-out. If the user has access to the internet, they can also perform this themselves via the College’s web-based email system (particularly if the device is lost out-of-hours.

 

The User is responsible for all access to their network account, and should protect their device and its password.  Allowing another person to access a College computer account may result in disciplinary action.

 

Any suspected or actual compromise to an individual’s account must be reported to the Principal without delay.

 

 

Appendix 5:  Transitional Arrangements 2018/19

 

There has been a change in the legislation relating to Data Protection, with the EU General Data Protection Regulations coming into force in May 2018.

 

Due to the cyclical nature of the College, some Personal information needing to be processed by the College was collected before the details of the associated UK Regulations were known, and before structured systems were built to, for example, collect Benchmark information. The Personal information was collected and processed according to the Data Protection Policy in place at the time, which is generally compatible with the GDPR.

 

Therefore, the College will take reasonable steps to convert any legacy information so that it complies with systems designed to deliver Subject Access, and centralised computer records.

 

The Consent for the processing of applicant information and enquiries will be inherited from the time at which the information was provided (and the Notice of Fair Processing in place at the time), all information relating to current and former Staff and Students was collected with a Notice of Fair Processing which is compatible with the GDPR.

 

 

 

Appendix 6: Data Protection Impact Assessment Form

 

Name of proposer

 

Title of project or proposal

 

Summary of proposed Data Process.

 

 

 

 

Who is affected by this process, and how will their information be used? Include details of any transfer to any 3rd party, and how long the information will be retained

 

Explain the steps taken to identify the risks to data security and privacy. Include details of any consultation.

 

List the risks identified above

 

Risk

Impact

Likelihood

 

 

 

 

 

 

 

 

 

 

 

 

List the actions which will be taken to reduce the risks (mitigation).

Risk

Solution

Result

 

 

 

 

 

 

 

 

 

 

 

 

Describe the approval process for this project. Include relevant committees if appropriate

 

 

 

Data Protection Impact Assessment accepted:

 

 

Name

Signature and date

Project proposer

 

 

 

Project Sponsor (SMT)

 

 

Data Protection Officer

 

 

 

 

ICO Guidance on Impact Assessments:  https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf 

 

Appendix 7:  – Data Protection Privacy Notices

 

Data Protection Privacy Notice – Staff (including Applicants) and Trustees

 

Godalming College is a 16-19 Academy Trust.  The purposes for which the College collects and processes personal data is notified and registered with the Information Commissioner’s Office (ICO), under the Data Protection Act 2018.

 

Your data and privacy is of upmost importance to us.  We are committed to keeping your personal data safe. We will prompt you, at least once a year, to ensure that the personal data we have is up to date.

 

How we use your personal information

 

The College will collect, store and process your personal data only for legitimate purposes.  This includes what you disclose on your application, at interview and what is learnt about you afterwards as a staff member, trustee or volunteer.

 

The College requires certain information about you in order to administer your position as a member of staff, or application to be a member of staff, trustee or volunteer at the College.

In particular the College will collect and process:

 

  • Your contact details, any information you provide on your application including previous employer details, and the results of any reference request in order to administer the appointment process.
  • Certain classes of sensitive personal information only for the purposes of statistical monitoring of Equality and Diversity of the workforce.
  • This information will only be kept for 6 months after the interview date for applicants who are not appointed.

For members of staff and trustees, the information that we may collect are as follows:

  • Basic personal details such as your name, initial, date of birth, position held
  • Personnel information such as your contact details, gender, nationality, attendance records, proof of ID and qualifications, training and professional review records, education and employment history, information about your physical and mental health and records related to your DBS check
  • Financial information such as salary records, bank details, income tax and NI records and pension records Insurance and other details needed to operate the Payroll service
  • Your image, and car registration details, in order to operate the College ID Card system, and enable members of the College to identify you or your vehicle as a member of staff.
  • Information about your performance in relation to your employment in your role, such as Professional Reviews, lesson observations, exam results of the students you have taught.
  • Health and Safety records relating to the COSHH regulations (use of chemicals)
  • Marketing Information including photos of you and information about your time at the College, your consent will be sought in respect of marketing
  • If you take part in Trips and Visits we may collect information such as your passport details, additional medical information and details of your travel insurance
  • CCTV footage will be captured of you when you are on the College campus.  The College is equipped with a CCTV system for the purpose of the security of College members and visitors, and the detection of crime. The CCTV images will not be used for any other purpose.

We share your information with the following third parties:

  • Surrey County Council Payroll and Pension services
  • Disclosure and Barring service
  • Organisations that provide and administer the pension schemes
  • The S7 Consortium
  • Occupational Health Provider
  • Credit Reference Agencies who have made an enquiry on your behalf
  • Future employers in respect of references

 

Third parties acting our behalf such as:

  • IT services – Microsoft and companies that provide online resources
  • Auditors, acting on behalf of the Board of Trustees or ESFA funding terms and conditions
  • Courts, law enforcement agencies and other emergency services as necessary to comply with a legal requirement, for the administration of justice, to protect vital interest, to protect the security or integrity of College operations, and to detect, investigate or prevent crime.
  • Travel agents, airlines and other companies with which you have engaged with to organise a College Trip

 

Access to your information

You have a right to request the information we hold about you.  Usually we will provide this information to you free of charge and within 30 days.

 

Transferring your data

You have the right to request a copy of your personal data in a commonly used format such as CSV or Microsoft Excel so that you can transfer your data to another organisation.  We have to provide this to you free of charge and within 30 days.

 

Transferring your data outside the European Economic Area

Any data that is shared beyond the EEA will be covered by agreements equivalent to the Data Protection Act (2018).

 

Correcting mistakes

You have the right to request we update any information we hold about you if you think it is incorrect, incomplete or out of date.  If we believe the information we hold about you is correct we may refuse to update our records but we will note your objection.

 

Objecting to how we process your data

We rely on legitimate interests or public interest as the legal basis for processing your personal data. You have the right to object, on grounds relating to your particular situation, to us processing your personal data where you feel the processing has a disproportionate impact on your rights.

 

Withdrawing consent

We do not rely on consent as a lawful basis for processing any of your information.  If you choose not to give us your personal information, it may delay or prevent us from meeting our obligations to you as an employer.  It may also mean we cannot perform services needed to support you as an employee. It might mean that you could not continue your employment with us.

 

Automated processing

We do not carry out any automated processing.

 

The right to be forgotten

You can ask us to erase your personal data in the following situations:

 

  • The data is no longer necessary in relation to the purpose for which it was originally collected
  • You have objected to us processing the data and there is no overriding legitimate interest for us to continue the processing
  • Your personal data was unlawfully processed
  • Your personal data has to be erased in order to comply with a legal obligation

 

We may in some circumstances refuse to erase your personal data. If we do this we will explain why and the legal reason for doing so.

 

Your rights

If you have any questions or queries about the information we hold about you, and how we use it, you can either speak to your Line Manager, Clerk of the Academy Trust, or Personnel.  Or you can address your concerns to the College’s Data Protection Officer. They can be contacted via email: dpo@godalming.ac.uk

 

If you feel your question or complaint has not been addressed to your satisfaction, you can contact the Information Commissioner’s office:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

https://ico.org.uk/

 

 

Data Protection Privacy Notice – Students

 

This statement will be subject to regular review and will be updated accordingly.

 

How will we use your personal information

 

Godalming College is a 16-19 Academy Trust.  The purposes for which the College collects and processes personal data is notified and registered with the Information Commissioner’s Office (ICO), under the Data Protection Act 2018.

 

Your data and privacy is of utmost importance to us.  We are committed to keep your personal data safe.  You may wish to show this notice to your parents/carers.

 

In order to administer your place at Godalming College, we collect information from you and about you in various ways, including via your original application and from your school, references and reports, enrolment and interviews, attendance data, the CCTV system, UCAS, exam boards, and interaction with your teachers, parents, and tutors at College.  The College has strict policies on what information we hold, how it can be used, and when it must be destroyed. You can see your own personal information via SELF (Student Electronic Learning File), or by speaking to your Senior Tutor.

The information we hold about you may include sensitive information (as defined by the Data Protection Act 2018, and may include learning difficulties or disabilities, your ethnicity etc.) for the purposes of monitoring Equality and Diversity, and to administer special exam arrangements or concessions. This information will be kept especially carefully and accessible only to those specifically authorised.

 

We will use your information to communicate with you and your parents, in particular we will communicate with your parents about your progress and attendance, and in the course of the operation of College systems designed to help you perform to your potential.

 

Your information will be passed to various Government and other agencies including the Department for Education, Education and Skills Funding Agency, Learner Records Service, The Data Service, examination boards and the Universities and Colleges Admissions Service, as well as organisations such as those which provide Value-Added analysis for the College. This is to obtain funding and monitor the effectiveness of the College. In some specific circumstances, it may be necessary to perform a criminal records check with the Disclosure and Barring Service, such as where you apply to perform Work Experience working with children.

 

It is the legal duty of the College to communicate with these agencies in relation to the educational activity of the College.

 

The school you attended before enrolling at the College, along with the Local Authority has a duty to monitor the progression of its pupils after Year 11; we may inform them that you have applied and the progress of your application – up to and including your final exam results and your destination after college (e.g. university).  You school is required to provide us with any safeguarding information they hold about you, and similarly we are required to pass on any safeguarding information to any institution you attend should you leave the College before your 18th birthday.

 

The Information Authority and the Information Commissioner’s Office regulate the information which is collected by these organisations, and how it is used and kept. Each of these organisations has its own Data Protection policies, and are all regulated and monitored by the Information Commissioner’s office.

 

We treat your personal information with respect: it will only be available to authorised people and organisations, not used for commercial gain and will be destroyed when it is no longer needed for these purposes.  Unauthorised access (or attempts to access) of personal data contravene the College’s Data Protection Policy. 

 

It is your responsibility to ensure that you inform us if your personal information changes – you can view your own information at any time via SELF or via your Personal Tutor or Senior Tutor. Changes to the College’s records can be made via Reception.

 

We will not disclose your personal information for publicity purposes without your express permission. There are separate procedures where you may be asked to provide consent to this activity. A full copy of our Data Protection Policy can be found on the College website.

 

Transferring your data outside the European Economic Area

Any data that is shared beyond the EEA will be covered by agreements equivalent to the Data Protection Act (2018).

 

Correcting mistakes

You have the right to request we update any information we hold about you if you think it is incorrect, incomplete or out of date.  If we believe the information we hold about you is correct we may refuse to update our records but we will note your objection.

 

Objecting to how we process your data

We rely on legitimate interests or public interest as the legal basis for processing your personal data, you have the right to object, on ground relating to your particular situation, to us processing your personal data where you feel the processing has a disproportionate impact on your rights.

 

Withdrawing consent

We do not rely on consent as a lawful basis for processing any of your information.  If you choose not to give us your personal information, it may delay or prevent us from meeting our obligations to you as a student.  It may also mean we cannot provide you with a government funded education.  It could mean we are unable to offer you a place to study at the College or provide you with an education.

 

We may in some circumstances refuse to erase your personal data. If we do this we will explain why and the legal reason for doing so.

Further information can be found:

 

Complaints

If you have any questions or queries about the information we hold about you, and how we use it, you can either speak to your Personal Tutor or Senior Tutor in the first instance.  If you still have concerns please address them to the College’s Data Protection Officer. They can be contacted via email: dpo@godalming.ac.uk

 

If you feel your question or complaint has not been addressed to your satisfaction, you can contact the Information Commissioner’s office:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

 

https://ico.org.uk/

 

 

Data Protection Privacy Notice – Parents/Carers 

 

How will we use your personal information

 

Godalming College is a 16-19 Academy Trust.  The purposes for which the College collects and processes personal data is notified and registered with the Information Commissioner’s Office (ICO), under the Data Protection Act 2018.

 

We have been provided your details by [Student Name] in relation to their application to study at Godalming College. They have given your details as their nominated parent or carer, with whom we will communicate to support [his/her] studies.   <Student Name> has been provided with a separate statement that you might wish to discuss with them.

 

The information we collect and process is provide by your son/daughter through the application and enrolment process and through you via the application form, parent portal, financial transactions with the College and correspondence with the College.

 

We will use the information shown below to keep you informed of [Student Name]’s progress through the application and enrolment process and to keep you informed of activities at the College which may be relevant to [Student Name]’s current or future studies such as extra-curricular activities, trips, useful resources etc.

 

We will provide access for you to the ‘Parents Portal’, via which you can monitor [Student Name]’s attendance, timetable, and review performance information provided by [his/her] teachers.

 

Please inform us of any inaccuracies or change to this information. If you wish to be removed from our database, we will delete your contact information and cease contact with you about [Student Name]. Should you subsequently with to resume contact with the College, [Student Name] should make this request the Student Receptionist.

 

Please note you have the right to confirm what data we hold about you at any time.  Parents and carers are not entitled to make a subject access request for data on behalf a student.

 

Transferring your data outside the European Economic Area

We will not send your personal data outside of the European Economic Area (EEA).

 

Correcting mistakes

You have the right to request we update any information we hold about you if you think it is incorrect, incomplete or out of date.  If we believe the information we hold about you is correct we may refuse to update our records but we will note your objection.

 

Objecting to how we process your data

We rely on legitimate interests or public interest as the legal basis for processing your personal data, you have the right to object, on ground relating to your particular situation, to us processing your personal data where you feel the processing has a disproportionate impact on your rights.

 

Withdrawing consent

We do not rely on consent as a lawful basis for processing any of your information.  If you choose not to give us your personal information, it may delay or prevent us from providing information relating to your son or daughter’s education.

 

We may in some circumstances refuse to erase your personal data. If we do this we will explain why and the legal reason for doing so.

Further information can be found:

 

Complaints

If you have any questions or queries about the information we hold about you, and how we use it, then please contact the College’s Data Protection Officer. They can be contacted via email: dpo@godalming.ac.uk

 

If you feel your question or complaint has not been addressed to your satisfaction, you can contact the Information Commissioner’s office:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

 

https://ico.org.uk/