1. PURPOSE

Individuals have a legal right to be informed about how we use their personal information. This Privacy Notice explains how we collect, store and use personal information.

Our aim is to always provide clear information about the personal information we are using and why we are using it. We have tried to keep the language in this privacy notice as simple as possible, however if anything is unclear or if you have any concerns then please contact data.protection@weston.ac.uk.

This is the college’s main ‘overarching’ privacy notice and it applies generally to the personal information that we collect and use. It is based on the model privacy notice produced for colleges by the Department for Education (DfE). Unless there is a lawful reason not to do so, we will also 0provide more specific privacy information at the point at which we collect or use personal information, for example if we collect personal data via an online or paper form.

While much of the personal information that we collect is mandatory (i.e. it must be provided so that we can manage the college and provide an education), some of it is requested on a voluntary basis. Where this is the case, we will request consent at the point we collect the information. We will explain to you whether there is a requirement to provide certain information to us, or whether you have a choice in doing so.

For the purposes of data protection law, Weston College Group is the ‘data controller’. Our Data Protection Officer is: Peter Sloman, Weston College, Knightstone Campus, Weston-super-Mare, BS23 2AL.

Contact details are provided at the end of this privacy notice.

2. SCOPE

This privacy notice is intended for learners and parents (including carers or guardians who we refer to in this privacy notice as ‘parents’) of the Weston College, we encourage all learners and parents to read it.

3. POLICY STATEMENT

3.1. The personal data we hold (categories of personal data)

We process personal information to be able to run the college, to provide pupils with an education and to make sure that we can look after our pupils appropriately. We may collect information directly from pupils or parents or from other places including other colleges, the local council and the Department for Education (DfE). Examples of the types of personal data that we may collect, use, store and share (when appropriate) are listed at Appendix 1.

3.1.1. Special category (sensitive) personal information

We may also collect, store, and use information about you that falls into "special categories" of more sensitive personal data which has extra protection in law and requires us to identify a condition for processing under Article 9 of the GDPR.

These conditions will vary but common reasons may include where processing sensitive data is necessary for reasons of ‘substantial public interest’ such as safeguarding; statutory and government purposes (e.g. Department for Education (DfE) requirements) or for ensuring equality of opportunity or treatment. We may also require your explicit consent for things such as the use of unique identifiers (e.g. fingerprints); or we may need to share health data to maintain a person’s vital interests where they are unable to give consent (life and death situations) or for the purpose of medical diagnosis and prevention (e.g. pastoral team, ensuring staff are aware of allergies).

Special category data is personal data revealing:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health; or
  • data concerning a natural person’s sex life or sexual orientation

3.1.2. Criminal convictions

Where we process criminal convictions, for example as part of a statutory requirement we also have to identify an additional ground for processing.  Usually this will either be either on the basis of our legal obligations in relation to safeguarding, preventing fraud or with your consent.

3.2. Our lawful reasons for processing pupil/parent information (lawful bases)

Data Protection law requires us to have a lawful reason (‘lawful basis’) for processing the personal data we use. These reasons are listed under Article 6 of the ‘General Data Protection Regulation’ (GDPR). Our lawful basis for processing will be explained at the point at which we collect personal information unless there is a lawful reason not to do so (for example where it is for the prevention or detection of crime).

Weston College processes a wide range of personal data for a variety of purposes, as described above. The lawful bases we rely on will therefore vary.  However, generally, the lawful bases we mainly use in relation to pupils and parents are:

  • We need to comply with the law (we have a legal obligation):

For example, we collect and use pupil information under legal and statutory obligations within the Education Act 1996, The Children Act 2004; Education and Inspections Act 2006; Education Act 2011; the Family and Children Act 2014 and Keeping Children Safe in Education (KCSIE) statutory guidelines.

  • We need to carry out a task in the public interest:

For example, the collection and use of pupil information is necessary for us to perform our role as a college and to deliver our public task of providing education to our pupils.

Less commonly, we may also need to use personal information about you where:

  • You have given us your consent (for example a photo of you for promotional purposes or our website).
  • We need to protect your vital interests (or someone else’s interests). This relates to life and death situations.
  • It is in ours or a third party’s legitimate interests to process the data. Where this is the case, we will ensure that we have considered whether our legitimate interests are overridden by your rights and freedoms as the learner or parent.

Where you have provided us with consent to use your data, you may withdraw this consent at any time. We will make this clear when requesting your consent and explain how you go about withdrawing consent if you wish to do so.   We will then cease this aspect of processing, unless another lawful basis applies.

Some of the reasons that we use for collecting and using information may overlap and there may be several grounds allowing us to use personal data. There are also other lawful bases that may apply, this will be made clear wherever possible.

Our lawful basis for processing will be explained at the point at which we collect personal information unless there is a lawful reason not to do so (for example where it is for the prevention or detection of crime).

3.3. Collecting learner/parent information: Why do we collect and use your information?

The reasons that we collect and use personal information enable us to provide our pupils with an education and to help us run the college. Please refer to Appendix 2 for examples.

We collect and use information about you in a variety of way including through the college application and admissions process, from correspondence with you and through assessing pupils’ educational progress. The ways in which we collect information about you may also include methods as outlined at Appendix 3.

We may also collect information about you from third parties such as information from other colleges or other third parties engaging with you outside the college.

Whilst you will be required to provide us with some information, there is some information that you can choose whether to provide to us. Whenever we seek to collect information from you, we make it clear whether you must provide this information (and if so, what the possible consequences are of not complying), or whether you have a choice. Data Protection law requires us to have a lawful reason (‘lawful basis’) for processing the personal data we use. These reasons are listed under Article 6 of the ‘General Data Protection Regulation’ (GDPR). Our lawful basis for processing will be explained at the point at which we collect personal information unless there is a lawful reason n

3.4. Who we share learner information with

Information about learners and parents will not be shared with any third party without consent unless the law allows us to do so. Where it is legally required or necessary (and it complies with data protection law) personal information may be shared with the relevant local authority to meet our legal obligations to share information such as safeguarding concerns or with the Department for Education (DfE) or relevant funding body. To find out more about the data collection requirements that are placed upon us by the DfE and other funding bodies including the data that we share with them go to:

Further examples of with whom we share data are listed at Appendix 4.

Examples of how we share data with the Department for Education can be seen in Appendix 5.

3.5. Storing pupil and parent data

Personal data is securely stored and managed by our Information Security Management System (ISMS) policies and procedures.

Once a learners’ education with us has ended, we may retain certain information beyond their attendance at the College as deemed necessary and in line with our retention policies.  A copy of the Retention Schedule can be obtained by contacting data.protection@weston.ac.uk.

3.6. Transferring data internationally

Personal data is not normally transferred internationally however, where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law and ensure that we have sufficient safeguards in place.

3.7. Requesting access to your personal data

Individuals have the right to request access to information about them that we hold. This is known as making a ‘Subject Access Request’ (SAR). If you make a subject access request, and if we hold information about you, we will:

  • Give you a description of it
  • Tell you why we are holding and processing it, and how long we will keep it for
  • Explain where we got it from, if not from you
  • Tell you who it has been, or will be, shared with
  • Let you know whether any automated decision-making is being applied to the data, and any consequences of this
  • Give you a copy of the information in an intelligible form within a month, unless an extension is necessary on the ground of the complexity of the request

You may also have the right for your personal information to be transmitted electronically to another organisation in certain circumstances. If you would like to make a request, please contact data.protection@weston.ac.uk.

Children have the same rights as adults over their personal data and the college will assess each request on its own merits. Pupils can find out what personal information we hold about them and how we use it by making a subject access request as long we judge that they can properly understand their rights and what this means.

Parents can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (a benchmark may be under the age of 12 however this will be judged by the college on a case by case basis), or where the child has provided consent and it is considered to be in the best interests of the child. Parents also have the right to make a subject access request with respect to the personal data the college holds about themselves. If you would like to make a request, please contact data.protection@weston.ac.uk.

3.8. Complaints

If you have a concern or complaint about the way we are collecting or using your personal data, please raise your concern with us in the first instance data.protection@weston.ac.uk.

The Information Commissioner’s Office, which is the supervisory authority, may be contacted on 0303 123 1113, or via their website, www.ico.org.uk regarding any complaints about how the way that the college handles your data.  However, under usual circumstances it may expect you to contact us first to see if we can help to resolve the issues first.

4. RESPONSIBILITIES

4.1. Data Protection Officer

Weston College Group have appointed a Data Protection Officer (DPO) who is responsible for all data privacy matters.

The contact details of the Data Protection Officer are:

Peter Sloman
Weston College
Knightstone Campus
Weston-super-Mare
BS23 2AL

Email : data.protection@weston.ac.uk

4.2. Management

The management and monitoring of data privacy are the responsibility of the Data Privacy Management Group (DPMG) reporting to the Data Protection Officer, the College Groups Learnership Board and Governing Body.

4.3. Records management

This document is maintained in line with the Colleges Information Management System (ISMS) and assessed as part of the Colleges ISO 27001 certification.

This document is reviewed annually and updated when necessary.

5. DEFINITIONS

Terms and definitions

DfE : Department for Education,

DPA : Data Protection Act, the DPA 2018 act is the UK’s implementation of GDPR

DPMG : Data Privacy Management Group,

DPO : Data Protection Officer, the person

ESFA : Education Skills Funding Agency, part of the Governments Department for Education (DfE)

GDPR : General Data Protection Regulation, EU Regulation which came into force from May 25, 2018

OFS : Office for Students, independent regulator of higher education in England

SAR : Subject Access Request, your right to request information the College holds about you more information in section 3.7 of this document

ISO 27001 : International Standards Organisation, 27001 refers to the best practice standard for Information Security.  Weston College is annually assessed against the ISO 27001 standards framework.

ISMS : Information Security Management System, The Colleges information security policies, procedures and management processes assessed as part of the College ISO 27001 certification.

WECA : West of England Combined Authority, made up of three of the councils in the region – Bath & North East Somerset, Bristol and South Gloucestershire.

6. RELATED LEGISLATION AND DOCUMENTS

Data Protection Act 2018

General Data Protection Regulation 2018

7. Appendix 1:  Non exhaustive list of examples of the types of personal data which we collect about learners and parents

  • Personal identifiers and contacts (such as name, unique pupil number, contact details and address).
  • Characteristics (such as ethnicity, language, and free college meal eligibility).
  • Safeguarding information (such as court orders and professional involvement).
  • Special educational needs (including the needs and ranking).
  • Medical conditions (such as doctor information, child health, dental health, allergies, medication and dietary requirements).
  • Attendance record (such as sessions attended, number of absences, absence reasons and any previous colleges attended).
  • Test results, assessment and attainment (such as AMEND AS NECESSARY key stage 1 and phonics results, post 16 courses enrolled for and any relevant results).
  • Behavioural information (such as exclusions and any relevant alternative provision put in place).
  • Photographs and CCTV.

This list is not exhaustive. To access further details of the categories of personal information we process, please contact data.protection@weston.ac.uk

8. Appendix 2:  Examples of the purposes for which we process your data

  • To support learning.
  • To monitor and report on learner progress and check whether any extra help is needed.
  • To look after learner’s wellbeing.
  • To keep track of how well we’re performing and assess the quality of our services.
  • To keep learner’s safe (e.g. food allergies, or emergency contact details).
  • To meet the statutory duties placed upon us e.g. for official data collections.
  • To promote the College e.g. through our website, social media, prospectuses and press releases.

This list is not exhaustive. To access further details please contact data.protection@weston.ac.uk

9. Appendix 3: Ways in which we collect learner and parent information

We collect and use information about you in a variety of way including through the Colleges application and admissions process, from correspondence with you and through assessing pupils’ educational progress. The ways in which we collect information about you may also include:

Course Applications

  • Course Enrolments
  • Applications for bursary or funding
  • Purchases from our online shop

10. Appendix 4: Examples of whom we may share your data with where the law permits (non – exhaustive list)

We collect and use information about you in a variety of way including through the Colleges application and admissions process, from correspondence with you and through assessing pupils’ educational progress. The ways in which we collect information about you may also include:

  • The local authority (INSERT DETAILS).
  • Colleges that students attend after leaving [COLLEGE NAME].
  • The Department for Education (DfE).
  • The National Health Service to support student safety and vaccination programs.
  • The pupil’s family and representatives.
  • Educators and examining bodies.
  • The regulator [Ofsted].
  • Suppliers and service providers so that they can provide a contracted service such as careers and Physical Education provision.
  • Central and local government.
  • Auditors
  • Survey and research organisations.
  • Security organisations.
  • Health and social welfare organisations.
  • Professional advisers and consultants.
  • Counsellors/Educational Psychologists as and when appropriate.
  • Charities and voluntary organisations.
  • Police forces, courts, tribunals.
  • Professional bodies.

Apply or find out more

Marketing Permissions

Once we have responded to your initial enquiry we would love to keep you informed of other, similar courses you may be interested in via email.


Is this ok?