Christ’s Hospital Privacy Notice – How we handle personal data

Introduction

1. In order to conduct its daily activities, Christ’s Hospital (“CH”) needs to process personal data about a wide range of individuals.

2. CH is legally obliged to process personal data in accordance with the European General Data Protection Regulation (“GDPR”); we are committed to complying with the GDPR and take seriously the responsibility of handling personal information. Christ’s Hospital has notified its use of personal data to the Information Commissioner’s Office (ICO). Purpose

3. The purpose of this Privacy Notice is to explain how we meet our obligations under the GDPR and it should be read in conjunction with the Information Security and Data Protection Policy which is available on the Christ’s Hospital web site (www.christs-hospital.org.uk) and to members of staff on the School intranet.

Scope

4. For the avoidance of doubt, this Notice applies to all living individuals on whom CH gathers, holds and processes personal information of any kind but it is particularly intended to cover prospective, current and former:

  • pupils;
  • parents, guardians and carers;
  • staff, including casual, temporary and volunteers;
  • suppliers and contractors;
  • clients and customers;
  • supporters and donors;
  • visitors and
  • members of the public.

Data protection officer

5. CH has appointed an appropriate member of staff as its Data Protection Officer, who is responsible for:

  • notification as a data controller with the ICO;
  • endeavouring to ensure that personal data is processed by CH in compliance with this Notice, the Information Security and Data Protection Policy and the data protection principles contained in the GDPR (“the data protection principles”);
  • delivering or arranging appropriate training for members of staff who are responsible for processing personal data; and
  • the enforcement, monitoring and review of this Notice and the Information Security and Data Protection Policy.

The data protection principles

6. The GDPR requires us to ensure that all personal data is processed in accordance with five key principles:

  • Purpose limitation principle. “Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
  • Data minimisation principle. “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
  • Accuracy principle. “Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”
  • Storage limitation principle. “Personal data shall be kept for no longer than is necessary for the purposes for which the personal data are processed
  • Integrity and confidentiality principle. “Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Personal data processed by CH

7. Personal data processed by CH can take many different forms – it may be factual information, expressions of opinion, images or other recorded information which identifies or imparts something of significance about a living individual. It may be held electronically, in hard copy paper form or held as photographic images.

8. Personal data processed by CH typically includes names and contact details and may also include information such as:

  • for pupils – admissions, academic, disciplinary, medical and other education related records, information about special educational needs, references, examination scripts and marks, images, audio and video recordings;
  • for parents, carers and guardians – employment details, family circumstances and financial information;
  • for staff and contractors – additional information required for their employment or appointment including references, documents, reports, appraisals, images, audio and video recordings and
  • for supporters and donors – financial information.

9. For a very small number of purposes, CH processes special categories of data which may include information concerning an individual’s ethnic group, religious beliefs, trade union membership, criminal record and proceedings, biometric data and their physical and mental health.

10. CH collects the personal data it processes directly from, and with the consent of, the data subject (or in the case of a pupil, his/her parents or guardians) and from third parties (for example referees, pupils’ previous schools, previous employers and the Disclosure and Barring Service (DBS)).

Purposes for which personal data is processed

11. Personal data (including special categories of data, where appropriate) is processed by CH in accordance with the GDPR for the following purposes:

  • The provision of education including the registration of prospective pupils and administration of the admissions process; administration of the school curriculum and timetable; administration of pupils’ entries to public examinations, reporting upon and publishing the results; providing references for pupils (including after a pupil has left); preparation of information for inspections by the Independent Schools Inspectorate.
  • The provision of educational support and ancillary services including the provision of pastoral care, welfare, health care services and maintenance of discipline; provision of careers and library services; administration of the Combined Cadet Force and other School clubs and societies; administration of sporting teams and fixtures; administration of school trips; boarding house administration; the administration of the School’s ICT Code of Conduct for Pupils by monitoring pupils’ email communications, internet use and telephone calls.
  • The general administration of the School including the compilation of pupil records; the administration of bursaries, scholarships, invoices, fees and accounts; the management of the School’s property; the management of security and safety arrangements (including through the use of CCTV); the administration and implementation of the School’s policies; and other reasonable purposes related to the day to day operations of the School.
  • The protection and promotion of CH’s legitimate interests and objectives including the publication of its web site, the prospectus and other marketing publications; fund-raising for charitable purposes; the maintenance of an historic archive; organisational governance and communicating with former pupils (Old Blues).
  • The administration of its staff, agents and suppliers including the recruitment of staff and engagement of contractors (including compliance with DBS procedures); administration of payroll, pensions, the death in service scheme, sick leave and the maintenance of appropriate human resources records for current and former staff and providing references.
  • The administration and management of organisations such as the Christ’s Hospital Foundation, Bluecoat Sports (BCS), Christ’s Hospital Enterprises Limited (CHEL) and the CH Theatre Box Office.
  • The fulfilment of CH’s contractual and other legal obligations.

Processing of personal data

12. CH will only process personal data for the purpose(s) for which it was originally acquired or which have subsequently been notified to the data subject(s) and will not process it for any other purpose without the data subject’s permission, unless it is permitted to do so under the GDPR or if it is required to do so by law.

13. Personal data will only be disclosed to or shared with those members of staff, agents and suppliers who need to access the personal data to carry out the purpose(s) for which it was acquired. CH employs appropriate security measures to ensure that personal data is kept secure and not accessed or processed without proper authority, as summarised in Annex A.

14. CH will not transfer personal data outside of the European Economic Area (EEA) unless it is satisfied that the data subject’s rights under the GDPR will be adequately protected.

15. CH will seek permission from an individual and, in the case of a pupil, his or her parents before allowing that person to feature particularly prominently in any films, books or articles for which CH may give permission.

16. When processing personal data for the purposes set out above CH may communicate by post, email and telephone and may make use of cloud computing services. Third parties with whom CH may need to share personal data

17. From time to time CH may pass personal data (including special categories of data where appropriate) to third parties, including local authorities, other public bodies (e.g. the DBS, UKVI, HM Revenue and Customs, Department for Education and Department for Work and Pensions), independent school bodies such as the Independent Schools Inspectorate and the Independent Schools Council, health professionals and the School’s professional advisers such as pension administrators, who will process the data:

  • to enable the relevant authorities to monitor the School’s performance;
  • to compile statistical information (normally using data on an anonymous basis);
  • to secure funding for CH or on behalf of individual pupils;
  • to safeguard pupils’ welfare and provide appropriate pastoral (and, where relevant, medical) care;
  • where specifically requested by pupils and/or their parents or guardians;
  • where necessary in connection with learning and co-curricular activities undertaken by pupils;
  • to enable pupils to take part in public examinations and other assessments and to monitor their progress and educational needs;
  • to obtain appropriate professional advice and insurance for the organisation;
  • where a reference or other information about a pupil or Old Blue is requested by another educational establishment or employer to whom they have applied;
  • where otherwise required by law; and
  • otherwise where reasonably necessary for the operation of CH and employment of its staff.

18. CH may also share personal data about Old Blues internally with the Christ’s Hospital Old Blues Association (CHOBA), the Benevolent Society of Blues (BSB) and similar associated organisations, which may contact Old Blues from time to time by post, email and telephone. All such processing will be conducted while ensuring that the data subject’s rights under the GDPR are adequately protected.

Rights of access to personal data/subject access requests

19. As data subjects, individuals have certain rights under the GDPR, including a general right to be given access to personal data held about them by a data controller; this is known as a “Subject Access Request”. The ICO’s guidance is that, in the majority of cases, by the age of 12, an individual has sufficient maturity to understand their rights and to make an access request themselves if he or she wishes.

20. If individuals wish to access their personal data held by CH or, in the case of parents, if they wish to access personal data held about their child or a pupil for whom they have parental responsibility, then a Subject Access Request should be submitted to the Data Protection Officer in writing.

21. CH aims to respond to Subject Access Requests as quickly as possible and will ensure that any information is provided within one calendar month unless an exemption from the right of access under the GDPR applies.

Consent to process data

22. The majority of the data held by CH on individuals is provided by the data subjects themselves and so was given with their full consent. Most of the forms used to gather data, such as Admissions forms, Bursary forms, job application forms, web site enquiry forms and so on make this clear. The information obtained in this way will not be processed for any other purpose than that for which it was gathered without the express consent of the data subjects concerned unless we are under a legal obligation to do so.

23. CH is conscious that data subjects may, at any time, wish to withdraw their consent, given previously, for the processing of data and so any individual who wishes to withdraw their consent should indicate this to the department which initially gathered the data concerned.

Accuracy of data

24. CH will endeavour to ensure that all personal data held in relation to individuals is accurate and up to date. However, individuals must notify the organisation of any changes to the information held about them.

Security of data

25. CH will take reasonable steps to ensure that personal data is kept secure and is only accessed by authorised individuals for the purposes for which it is held. All CH staff will be made aware of this Notice, the Information Security and Data Protection Policy and their responsibilities under the GDPR.

Enforcement

26. If an individual believes that CH has not complied with this Notice and/or the Information Security and Data Protection Policy, or has acted otherwise than in accordance with the GDPR, the individual should notify the Data Protection Officer who shall, where appropriate, investigate the matter and/or refer it for resolution in accordance with CH’s grievance/disciplinary procedure (for staff) or complaints procedure (for parents/pupils and others).

27. Individuals also have the right to complain direct to the Information Commissioner’s Office about an organisation’s handling of their personal data; details of the process to be followed can be found on the ICO web site (https://ico.org.uk/).

Guidance

28. Any queries about this Notice or how personal data is processed by CH should be referred to the Data Protection Officer for further guidance.

Author: DJH
Date of last review: May 2018
Annex:
A. Data Security Principles
ANNEX A

Data security principles

  • Access to personal data is provided only to those individuals who require access to that personal data in order to perform their duties and responsibilities. As a result, different individuals will have access to different categories of personal data depending upon their role.
  • The security measures in place to protect data held are set out in CH’s Information Security and Data Protection Policy, which is reviewed annually. All electronic data on the CH networks is protected by anti-virus software that runs on servers and workstations and is updated automatically. Data on the networks is backed-up daily. Access to workstations is password protected.
  • Personal data held in hard copy form in manual files is only accessible by authorised individuals and, where of a confidential nature, is kept in locked filing cabinets when not in use.
  • Paper-based copies of personal data (or other sensitive or confidential data) are disposed of in a secure manner, by shredding. Decommissioned IT equipment is wiped prior to its disposal.
  • CH ensures that prior to the transfer of any personal data to a third party for processing, the third party has appropriate technical and organisational security measures governing the processing to be carried out.
  • New members of staff receive data security training as part of their induction where this is appropriate and regular updates are provided thereafter.