COLLEGE GUARDIANS – PRIVACY NOTICE
WHO WE ARE
College Guardians is a trading name of Malvern College Enterprises Ltd, registered in England no. 2706656, which is a wholly-owned subsidiary of Malvern College, registered charity no. 527578.
WHY WE NEED TO PROCESS PERSONAL DATA
In order to carry out its ordinary duties to clients, College Guardians may process a range of personal data about past, current and prospective clients and host families as part of its daily operation. Some examples are:
• For the purposes of enrolling new clients and host families with College Guardians’ range of services (and to confirm the identity of prospective clients);
• To provide guardianship services to students at Boarding School and university;
• To manage relationships with host families;
• Maintaining relationships with the College Guardians community, including direct marketing activity;
• For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law;
• To enable relevant authorities to monitor College Guardians’ performance and to intervene or assist with incidents as appropriate;
• To carry out College Guardians’ safeguarding obligations whilst students are in the care of College Guardians;
• To monitor (as appropriate) use of Malvern College’s IT and communications systems in accordance with the College’s Policy one the Acceptable use of ICT and e-Safety;
• To make use of photographic images of users in College Guardians publications, on the College Guardians website and (where appropriate) on College Guardians’ social media channels;
• Where otherwise reasonably necessary for College Guardians’ purposes, including to obtain appropriate professional advice and insurance for College Guardians.
TYPES OF PERSONAL DATA PROCESSED BY COLLEGE GUARDIANS
• names, addresses, telephone numbers, email addresses and other contact details
• medical information relating to students in the care of College Guardians
• personal information relating to host families
• communication record (letter, email or SMS)
• credit/debit card details in the case of customers asking to pay invoices by this means;
• images of students, parents and host families (in accordance with Malvern College’s policy on taking, storing and using images of children);
LEGAL BASIS FOR PROCESSING DATA
College Guardians expects that much of its data processing may fall within the category of its (or its community’s) “legitimate interests” provided that these are not outweighed by the impact on individuals and provided it does not involve special or sensitive types of data.
Some activity College Guardians will need to carry out in order to fulfil its “legal rights, duties or obligations” for example where clients or host families are in a contractual relationship with College Guardians.
There may be occasions when College Guardians will act in the “vital interests” of preventing someone from being seriously harmed or killed.
HOW COLLEGE GUARDIANS COLLECTS DATA
Generally, College Guardians receives personal data from parents, agents and our third party partners such as schools and colleges via application forms. In addition host families may apply directly via application forms. Additional information relating to host families is provided by third parties through confidential references and Disclosure and Barring Service (DBS) checks which are taken up by College Guardians. DBS checks are processed through AEGIS Personal information may be provided via a form, or simply in the ordinary course of interaction or communication (such as email or telephone conversations).
WHO HAS ACCESS TO PERSONAL DATA AND WHO COLLEGE GUARDIANS
Occasionally, College Guardians will need to share personal information relating to its community with third parties, such as professional advisers (lawyers and accountants) relevant authorities (HMRC, police or the local authority).
For the most part, personal data collected by College Guardians will remain within College Guardians, Malvern College Enterprises and Malvern College, and will be processed by appropriate individuals only in accordance with access protocols (i.e. on a ‘need to know’ basis).
Personal data will also be shared with relevant staff at the school, college or university which the student attends in order that a co-ordinated approach to the student’s care and welfare is made possible.
In accordance with Data Protection Law (including GDPR – the General Data Protection Regulation), some of College Guardians’ processing activity is carried out on its behalf by third parties and partners such as IT systems, web developers or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the College Guardians’ specific directions.
HOW LONG WE KEEP PERSONAL DATA
College Guardians will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Any sensitive personal data relating to parents, students and host families will be destroyed within 12 months of the end of any relevant contract. Credit/debit card details are only taken at the request of users, generally by telephone call, and are destroyed immediately if submitted on a form. They are never recorded on any College Guardians system.
Incident reports and files relating to the safeguarding of children will need to be kept much longer, in accordance with specific legal requirements. It should also be noted that fully-selective deletion of data from the College Guardians Management Information Systems may not always be possible for technical reasons.
If you have any specific queries about how this policy is applied, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact Malvern College’s Commercial Director, Mr Allan Walker, email@example.com. However, please bear in mind that College Guardians, Malvern College Enterprises Ltd and Malvern College may have lawful and necessary reasons to hold on to some data.
Individuals have various rights under Data Protection Law to access and understand personal data about them held by College Guardians, and in some cases ask for it to be erased or amended or for College Guardians to stop processing it, but subject to certain exemptions and limitations.
If you wish to exercise any of these rights you should put your request in writing to Malvern College’s Commercial Director, Mr Allan Walker, firstname.lastname@example.org.
College Guardians will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month in the case of requests for access to information. College Guardians will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, College Guardians may ask you to reconsider or charge a proportionate fee, but only where Data Protection Law allows it.
You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal professional privilege.
Data Protection Law provides you with the following rights:
The right of access
Your right to obtain confirmation as to whether or not personal data are being processed, and, where that is the case, access to the personal data along with details regarding the nature of processing.
The right of rectification
Your right to obtain the rectification of inaccurate personal data.
The right of portability
Your right to receive the personal data concerning provided to us, in a structured, commonly used and machine-readable format.
The right to be forgotten
Your right to erase your personal data.
The right to restrict processing
your right for your data to be effectively ‘frozen’; stored and not further processed.
The right to object
ACCESS REQUESTS – YOUNGER USERS
Children whose personal data is held by College Guardians (i.e. students who are in the care of College Guardians) can make subject access requests for their own personal data, provided that, in the reasonable opinion of College Guardians, they have sufficient maturity to understand the request they are making (see section Whose Rights below). Indeed, while a person with parental responsibility will generally be entitled to make a subject access request on behalf of younger children, the information in question is always considered to be the child’s at law.
A child of any age may ask a parent or other representative to make a subject access request on his/her behalf. Moreover (if of sufficient age) their consent or authority may need to be sought by the parent making such a request. This will depend on both the individual child and the personal data requested, including any relevant circumstances at home. All information requests from, or on behalf of, children – whether made under subject access or simply as an incidental request – will therefore be considered on a case by case basis.
Where College Guardians is relying on consent as a means to process personal data (for the example the use of images for marketing purposes), any person may withdraw this consent at any time (subject to similar age considerations as above). Please be aware however that College Guardians may have another lawful reason to process the personal data in question even without your consent.
That reason will usually have been asserted under this Privacy Notice, or may otherwise exist under some form of contract or agreement with the individual or because a purchase of goods, services or membership has been requested.
The rights under Data Protection Law belong to the individual to whom the data relates. However, College Guardians will often rely on parental consent to process personal data relating to children (if consent is required) unless, given the nature of the processing in question, and the child’s age and understanding, it is more appropriate to rely on the child’s consent.
Parents should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents’ rights at law or under their contract, and all the circumstances.
In general, College Guardians will assume that children’s consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the child’s academic progress, and in the interests of the child’s welfare, unless, in College Guardians’ opinion, there is a good reason to do otherwise.
However, where a child seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, College Guardians may be under an obligation to maintain confidentiality unless, in College Guardians’ opinion, there is a good reason to do otherwise; for example where College Guardians believes disclosure will be in the best interests of the child or other children, or if required by law.
DATA ACCURACY AND SECURITY
College Guardians will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must please notify [email address tbc] of any significant changes to important information, such as contact details, held about them.
An individual has the right to request that any out-of-date, irrelevant or inaccurate or information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law): please see above for details of why College Guardians may need to process your data, of whom you may contact if you disagree.
College Guardians will take appropriate technical and organizational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to College Guardians systems. All staff will be made aware of this policy and their duties under Data Protection Law and receive relevant training.
College Guardians will update this Privacy Notice from time to time. Any substantial changes that affect your rights will be provided to you directly as far as is reasonably practicable.
QUERIES AND COMPLAINTS
Any comments or queries on this policy should be directed to Mrs Jane Eldridge, the Director of Guardianship Services, at email@example.com.
If you believe that College Guardians has not complied with this policy or acted otherwise than in accordance with Data Protection Law, you should notify the Commercial Director (Mr Allan Walker, firstname.lastname@example.org). You can lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with College Guardians before involving the regulator.
Updated May 2018