- About Bartholomews Tutorial College
- Responsibility for data protection
- Why we need to process personal data
- Why we may need to use special category personal data
- Types of personal data stored and used by the College
- How the College collects data
- Who can access personal data at the College
- Sharing personal data with outside organisations
- How long we keep personal data
- Staying in contact with former students and parents
- Your rights explained
- Student data access requests
- Parental data access requests
- Your right to withdraw consent
- Understanding the rights of students and their parents
- Data accuracy and security
- Comments, queries and complaints
1. About Bartholomews Tutorial College
Bartholomews Tutorial College is an independent educational college located in Brighton, East Sussex. The College is a registered company, limited by guarantee, and operates on a non profit-making basis. Our company number is 3628884.
Our postal address is:
Bartholomews Tutorial College,
22-23 Prince Albert Street,
You can contact us by any of the following means:
Telephone 1: +44 (0) 1273 205965
Telephone 2: +44 (0) 1273 205141
This document sets out how Bartholomews Tutorial College (hereafter referred to as ‘the College’) stores, uses and protects any information that you give to us; electronically, verbally (where applicable), in writing, or by any other means.
The College may change this policy from time to time by updating it on the website. You should check the website occasionally to ensure that you are happy with any changes. Where there are substantial changes that will affect your rights, you will be actively notified of this as far as is reasonably practicable. This notice is effective from May 2018.
(a) Prospective, current and former staff members; (b) Prospective, current and former students; (c) Parents, carers or guardians (hereafter referred to as ‘parents’) of prospective, current and former students.
(a) Any contract or agreement between the College and its staff, or the parents of students; (b) The College’s Safeguarding Policy, including as to how concerns or incidents are recorded; (c) The College’s Health & Safety Policies; (d) The College’s ICT Policy.
3. Responsibility for data protection
Bartholomews Tutorial College has appointed a Data Protection Officer (DPO) who will deal with all your requests and enquiries concerning the College’s use of your personal data. The College’s DPO endeavours to ensure that all personal data is processed in compliance with this Policy and all other applicable Data Protection legislation.
The College’s DPO is Jay Roberts, who can be contacted by the following means: email: firstname.lastname@example.org telephone: 01273 205965
4. Why we need to process personal data
As part of its daily operation, the College may store and process a range of personal data about individuals in order to carry out its duties and responsibilities to staff, students and parents.
Some of the data storage and processing activities undertaken are necessary in order that the College can effectively fulfil its legal obligations, duties or rights. This includes legal responsibilities pertaining to a contract or agreement with its staff, or parents of its students, or where you have given express permission for the College to use your personal data as outlined in the contract or agreement.
Other data storage and processing activities will be made in accordance with the College’s legitimate interests, provided that these are not outweighed by the impact on individuals, and provided it does not involve special or sensitive types of data.
The College expects that the following uses may fall within the category of its legitimate interests:
(a) For the purposes of confirming the identity of prospective students and their parents; (b) To provide educational services, career services, and extra-curricular activities to students, and for monitoring students’ progress and educational needs; (c) To enable students to participate in public examinations and other assessments, and to lawfully publish the results of public examinations or other student achievements; (d) To safeguard students’ welfare and provide appropriate pastoral care; (e) To enable relevant authorities to monitor the College’s performance and to intervene or assist with incidents as appropriate; (f) For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as diversity or gender pay gap analysis and taxation records); (g) To provide references to potential employers of past students or staff members; (h) To exchange information with other organisations, where appropriate, about prospective, current and former students, including relating to outstanding fees or payments; (i) To monitor and ensure appropriate use of the College’s IT and communications systems; (j) To make use of photographic images of students in College publications, on the College website and (where appropriate) on the College’s social media channels; (k) To effectively deal with complaints or incidents arising either within the College or externally, and to carry out disciplinary or investigative processes as appropriate; (l) For security purposes; (m) For the purposes of marketing or other promotional activities; (n) Where otherwise reasonably necessary for the College’s purposes, including to obtain appropriate professional advice or insurance for the College.
If you are a former student, or a parent of a former student, we will only use your contact information to provide you with details of news, services or events, which we identify as being relevant to you from your association with the College. We may also contact you with a request for feedback regarding your experience at the College. We will communicate this information to you via postal mail or email, provided that you have not opted out of any of these forms of communication. Should you at any time wish to opt out of receiving these communications, then you may do so by following the “unsubscribe” function where available, or otherwise contacting us to express your wishes.
5. Why we may need to use special category personal data
The College may sometimes need to process special category personal data. Special Category data includes information concerning health, ethnicity, religion, biometrics, sexual life or criminal records information (such as when carrying out DBS checks). The College will usually only request such information in accordance with rights or duties imposed on it by law, including as regards safeguarding and employment, or from time to time by explicit consent where required. These reasons may include:
(a) To safeguard students’ welfare and provide appropriate pastoral or medical care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of a medical condition where it is in the individual’s interests to do so: for example for medical advice, social services, insurance purposes or to organisers of College trips; (b) To provide educational services in accordance with any special educational needs of a student; (c) In connection with employment of its staff, including DBS checks, welfare and our workplace pension scheme; (d) As part of any College or external complaints, disciplinary or investigative process that involves such data; for example, if there are SEN, health or safeguarding elements; (e) For legal and regulatory purposes (e.g. child protection, diversity monitoring and health and safety) and to comply with its legal obligations and duties of care.
6. Types of personal data stored and used by the College
The different types of data collected, stored and processed by the College are numerous and wide-ranging. It is expected that they will include:
(a) Names, addresses, telephone numbers, email addresses, physical addresses and other contact details; (b) Past, present and prospective students’ academic, disciplinary, admissions and attendance records (including information about any special needs), assessments and examination scripts and marks; (c) Personnel files, including in connection with academics, employment or safeguarding; (d) Where appropriate, information about individuals’ health, and contact details for their next of kin; (e) References given or received by the College about students, and information provided by previous educational establishments and/or other professionals or organisations working with students; (f) Correspondence with and concerning staff, students and parents past, present and prospective; (g) Bank details and other financial information, e.g. about parents who pay fees to the College; (h) Images of students (and occasionally other individuals) engaging in College activities.
7. How the College collects data
The College usually receives personal data from the individual directly, including, in the case of students, from their parents. This may be via a hand-written or digital form, or simply in the ordinary course of interaction.
The College may also collect information about your usage of our website to improve our services available to you. This may include technical information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
In some cases personal data may be supplied by third parties, or collected from third-party or publicly available resources. Some examples are:
(a) From another College, authority or professional working with that individual; (b) From social media (for example, if you post something on the Bartholomews Tutorial College Facebook page); (c) If we see news about one of your achievements through a story in a local or national news outlet, or on a third-party website, or if someone else tells us.
Please see further below, Staying In Contact With Former Students And Parents, for more information on how the College may use the personal data of former students and parents, and how to opt out of such use.
8. Who can access personal data at the College
Most personal data collected by the College is accessible only to College staff, with exceptions only in certain circumstances as described in the next section ‘Sharing Personal Data With Outside Organisations’.
Some types of especially private or sensitive data will be accessible only to certain staff members, on a ‘need to know’ basis. This is achieved with the application of a series of access protocols assigned to each staff member. Particularly strict rules of access apply in the context of:
(a) Medical information, which is held and accessed only by appropriate staff where it is in the interests of the individual for them to do so, or otherwise in accordance with express consent; (b) Pastoral files; (c) Safeguarding files, which are held by the Designated Safeguarding Lead (DSL).
However, a certain amount of any SEN student’s relevant information will need to be provided to staff more widely in the context of providing the necessary care and education that the student requires.
9. Sharing personal data with outside organisations
Occasionally the College may need to share personal information relating to its community with third parties, such as:
(a) government authorities, for example the Department for Education (DfE), Her Majesty’s Revenue and Customs (HMRC), the police or the Local Education Authority (LEA); (b) professional advisers, for example lawyers, accountants, payroll services and physicians.
The College has a responsibility of care to all members of its community, and we take this responsibility very seriously. With this in mind, we may sometimes find it necessary to record or report incidents or concerns that arise, if they meet a certain threshold of seriousness in their nature or regularity. This may include file notes on personnel or safeguarding files, and in some cases referrals to relevant authorities such as Social Services, the Local Authority Designated Officer (LADO) or the police. For further information about this, please view the College’s Safeguarding Policy.
Finally, in accordance with Data Protection Law, some of the College’s processing activity is carried out on its behalf by third parties, such as IT vendors, web developers or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the College’s specific directions and we take all appropriate measures to prevent unauthorised or unlawful access to it, including password protection, data encryption and assigned access protocols. Use of personal data by such third parties is safeguarded by both international procedures and legal agreements to comply with the requirements of the Data Protection Act.
Bartholomews Tutorial College will not, under any circumstances, sell the personal data of any individual to third parties or outside organisations.
10. How long we keep personal data
The College will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Typically, the legal recommendation for how long to keep ordinary staff and student personnel files is up to 7 years following departure from the College.
However, incident reports and safeguarding files may need to be kept much longer, in accordance with specific legal requirements. If you have any queries about how this notice is applied, or wish to request that personal data you no longer believe to be relevant is considered for erasure, please contact our Data Protection Officer, Jay Roberts. However, please bear in mind that the College may have lawful and necessary reasons to hold on to some data even following such a request.
Bartholomews Tutorial College reserves the right to keep a limited and reasonable amount of information for archiving and statistical purposes. For example, we keep records of exam results achieved at the College indefinitely. Should you contact us requesting the destruction of your personal data, your examination results will be retained with anonymity. Please be aware that, under such circumstances, we will thereafter be unable to provide the individual with references or evidence of results achieved at the College.
Please bear in mind that even where you have requested we no longer keep in touch with you, we will need to keep a record of the fact in order to fulfil your wishes (this is called a “suppression record”).
11. Staying in contact with former students and parents
The College will retain the contact details of parents, former students and staff members, and may use them for communications about activities or events of interest at the College, by email and by post.
Unless the relevant individual objects, we may also contact previous students and/or parents by post and email in order to request feedback of their experiences with the College, including the contribution of social media reviews.
Furthermore, the College collects information from publicly available sources about the occupations, achievements and activities of former students, in order to maximise the College’s marketing potential. These sources includes:
(a) Social media, for example LinkedIn and Facebook; (b) Websites, for example Companies House, news media sites, etc; (c) Publications, for example local and national newspapers or magazines.
Any member of the College community, past or present, has the right to limit or object to any such use of their personal data. Should you wish to do so, or if you would like further information about how the College stays in touch with former students or their parents, please contact our Data Protection Officer, Jay Roberts, in writing.
You always have the right to withdraw consent or otherwise object to any requests for marketing or promotional activities, and the College takes very seriously the rights and preferences of every member of its community. However, the College may need nonetheless to retain some of your details, at least to ensure that no more communications are sent to that particular address, email or telephone number.
12. Your rights explained
Individuals have various rights under Data Protection Law to have full visibility of, or access to, all personal data about them held by the College. In some cases, individuals have the right to ask for their personal data to be erased or amended, or for the College to stop processing it. All such requests are subject to certain exemptions and limitations, usually arising from the College’s legal obligations or duties of care.
Any individual wishing to access or amend their personal data, or wishing it to be transferred to another person or organisation, should put their request in writing to our Data Protection Officer.
Subject to the satisfaction of reasonable identity checks, the College will endeavour to respond to any such written requests as soon as is reasonably practicable, and in any event within one month as per the statutory time-limits imposed by Data Protection Law.
The College will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, the College may ask you to reconsider or charge a proportionate fee, but only where Data Protection Law allows it.
You should be aware that certain requests cannot be fulfilled for various reasons, including the following:
(a) Certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal professional privilege; (b) The College is not required to disclose any student examination scripts (or other information consisting solely of student test answers), provide examination or other test marks ahead of any ordinary publication, nor share any confidential reference given by the College for the purposes of the education, training or employment of any individual; (c) You have the power to invoke your “right to be forgotten” at any time. However, we will sometimes have compelling reasons to refuse specific requests to amend, delete or stop processing your (or your child’s) personal data. This may be due to a specific legal requirement, or alternatively where it falls within a legitimate interest identified in this Privacy Notice. All such requests will be considered on their own merits.
13. Student data access requests
All students can make access requests for their own personal data, provided that, in the reasonable opinion of the College, they have sufficient maturity to understand the request they are making (see section Understanding The Rights Of Students And Their Parents, below). Students aged 13 are generally considered to have this level of maturity, although this will depend on both the individual child and the personal data requested, including any relevant circumstances at home. Children younger than 13 may be sufficiently mature to have a say in this decision. All subject access requests from students will therefore be considered on a case by case basis.
A student of any age may ask a parent or other representative to make a subject access request on their behalf; however, the information in question is always considered to be the child’s at law. Therefore, any parent requesting access to data on behalf of their child will be required to seek the child’s consent in cases where they are considered of sufficient age to express it.
14. Parental data access requests
Parents will usually receive educational and pastoral updates about their children, in accordance with the contractual duties and obligations of the College. Where parents are separated, the College will, unless instructed otherwise by all parties, aim to provide the same information to each person with parental responsibility. In certain individual cases, the College may need to factor in all the circumstances, including the express wishes of the child. All subject access requests from parents will therefore be considered on a case by case basis.
15. Your right to withdraw consent
Where the College is relying on consent as a means to process personal data, any person may withdraw this consent at any time (subject to similar age considerations as above). Please be aware however that the withdrawal of consent may render the College unable to perform its duties or contractual obligations to the student or parent in question.
16. Understanding the rights of students and their parents
The rights under Data Protection Law belong to the individual to whom the data relates. However, the College will sometimes rely on parental consent to process personal data relating to students, in situations where consent is required. In other cases, taking into account the nature of the processing in question and the student’s age and understanding, it is more appropriate to rely on the student’s consent. Parents should be aware that in such situations they may not be consulted; this depends upon the interests of the child, the parents’ rights at law, and all other circumstances.
In general, the College will assume that students’ consent is not required for ordinary disclosure of their personal data to their parents, (e.g. for the purposes of keeping parents informed about the student’s activities, progress, attendance and behaviour, and in the interests of the student’s welfare) unless, in the College’s opinion, there is a good reason to do otherwise.
However, where a student seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, the College may be under an obligation to maintain confidentiality unless, in the College’s opinion, there is a good reason to do otherwise; for example where the College believes disclosure will be in the best interests of the student or other students, or if required to by law.
Students are required to respect the personal data and privacy of others, and to comply with the College’s ICT Policy, alongside the standard College regulations. Staff are under professional obligation to do the same.
17. Data accuracy and security
The College will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must please notify the College of any changes to information held about them, including changes of address, telephone number, email, or personal circumstances where appropriate.
An individual has the right to request that any inaccurate or out-of-date information about them is erased or corrected (subject to certain exemptions and limitations under the Data Protection Act).
The College will take appropriate technical and organisational steps to ensure the security of personal data concerning individuals, including policies around use of technology and devices, and access to College systems. All staff are aware of this notice and their duties under Data Protection Law.
19. Comments, queries and complaints
Any comments, queries or complaints regarding this policy should be directed to the College Data Protection Officer, Jay Roberts, by email at: email@example.com or by telephone on: 01273 205965.
If an individual believes that the College has not complied with this notice or otherwise failed to enact the requirements of Data Protection Law, they should utilise the College complaints procedure and should also notify the College’s Data Protection Officer. You can also make a referral to, or lodge a complaint with, the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with the College before involving the regulator.