Privacy Policy
INTRODUCTION
EIFA International School (“EIFA”, “we” or “the School”) is a limited company. Our registered address is 36 Portland Place, London, W1B 1LS, company number 07302928. We are the Data Controller for the purpose of UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, and supporting legislation. We take our responsibilities as a data controller seriously and we are committed to using the personal data we hold in accordance with the law.
This privacy notice provides detailed information about how we process personal data about individuals including: current, past and prospective staff; pupils, and their parents, carers and/or guardians (referred to in this policy as “parents”. There is a separate Privacy Notice for pupils aged 12 or above, the age at which pupils are considered sufficiently mature to give consent for data processing themselves.
We are providing this information because Data Protection Law gives individuals rights to understand how their data is used. Please read it carefully and, if you have questions regarding your personal data or its use, please contact the Data Protection Officer (DPO) by email on [email protected], by telephone on 020 7637 5351; or by post at 36 Portland Place, London, W1B 1LS.
WHY WE PROCESS PERSONAL DATA
In order to carry out its ordinary duties to staff, pupils and parents, the School needs to process a wide range of personal data about individuals (including current, past and prospective staff, pupils or parents) as part of its daily operations. Some of this processing the School will need to carry out in order to fulfil its legal rights, duties or obligations – including those under a contract with its staff, pupils and parents of its pupils, as well as obligations to the French authorities. Other uses of personal data will be made in accordance with the School’s legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impact on individuals and provided it does not involve special or sensitive types of data.
LEGITIMATE INTERESTS
The School expects that the following uses will fall within that category of its (or its community’s) “legitimate interests”:
- For the purposes of pupil admission (and to confirm the identity and nationality of prospective pupils and their parents);
- To provide education services, including the administration of the school curriculum and timetable, extra-curricular activities to pupils, and monitoring pupils’ progress and educational needs;
- To maintain relationships with alumni and the school community, including direct marketing or fundraising activity;
- For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as tax, diversity or gender pay gap analysis);
- To enable relevant authorities (including French authorities) to monitor the School’s performance and to intervene or assist with incidents as appropriate;
- To give and receive information and references about past, current and prospective pupils, including relating to outstanding fees or payment history, to/from any educational institution that the pupils attended or where it is proposed they attend; and to provide references to potential employers;
- To give and receive information and references about past, current and prospective staff, including to provide references to potential employers of past and current staff;
- Compliance with legislation and regulation including the preparation of information for inspections by the Independent Schools Inspectorate and OFSTED, submission of annual census information to the Independent Schools Council and the Department for Education;
- To enable pupils to take part in national or other assessments, and to publish the results of public examinations or other achievements of pupils of the School;
- To safeguard pupils’ welfare and provide appropriate pastoral care;
- To monitor (as appropriate) use of the School’s IT and communications systems in accordance with the School’s IT policies;
- To make use of photographic images of pupils in School publications and communications in accordance with the School’s Data Protection Policy;
- The promotion of the School through our own website, the prospectus and other publications and communications (including through our social media channels);
- Maintaining relationships with the wider school community by communicating with the body of current and former pupils and/or their parents or guardians and organising events.
- For security purposes, including CCTV in accordance with the School’s Data Protection Policy;
- To carry out or cooperate with any School or external complaints, disciplinary or investigation process;
- Where otherwise reasonably necessary for the School’s purposes, including to obtain appropriate professional advice and insurance for the School.
SPECIAL CATEGORY PERSONAL DATA
In addition, the School will on occasion need to process special category personal data (e.g. concerning health, ethnicity or religion) or criminal records information (such as when carrying out DBS checks) in accordance with rights or duties imposed on it by law, including as regards safeguarding and employment, or from time to time by explicit consent where required. These reasons will include:
- To safeguard pupils’ welfare and provide appropriate pastoral (and where necessary, medical) care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual’s medical condition or other relevant information where it is in the individual’s interests to do so: for example for medical advice, for social protection, safeguarding, and cooperation with police or social services, for insurance purposes or to caterers or organisers of school trips who need to be made aware of dietary or medical needs;
- To provide educational services in the context of any special educational needs and/or disabilities (SEND) of a pupil;
- In connection with employment of its staff, for example DBS checks, welfare or pension plans;
- Any medical conditions we need to be aware of, including physical and mental health
- As part of any school or external complaints, disciplinary or investigation process that involves such data, for example if there are SEND, health or safeguarding elements; or
- For legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with its legal obligations and duties of care.
For ‘special category’ data, we only collect and use it when we have both a lawful basis, as set out above, and one of the following conditions for processing as set out in UK data protection law:
- We have obtained your explicit consent to use your child’s personal data in a certain way
- We need to perform or exercise an obligation or right in relation to employment, social security or social protection law
- We need to protect an individual’s vital interests (i.e. protect your child’s life or someone else’s life), in situations where you’re physically or legally incapable of giving consent
- The data concerned has already been made manifestly public by you
- We need to process it for the establishment, exercise or defence of legal claims
- We need to process it for reasons of substantial public interest as defined in legislation
- We need to process it for health or social care purposes, and the processing is done by, or under the direction of, a health or social work professional or by any other person obliged to confidentiality under law
- We need to process it for public health reasons, and the processing is done by, or under the direction of, a health professional or by any other person obliged to confidentiality under law
- We need to process it for archiving purposes, scientific or historical research purposes, or for statistical purposes, and the processing is in the public interest
- For criminal offence data, we will only collect and use it when we have both a lawful basis, as set out above, and a condition for processing as set out in UK data protection law. Conditions include:
- We have obtained your consent to use it in a specific way
- We need to protect an individual’s vital interests (i.e. protect your child’s life or someone else’s life), in situations where you’re physically or legally incapable of giving consent
- The data concerned has already been made manifestly public by you
- We need to process it for, or in connection with, legal proceedings, to obtain legal advice, or for the establishment, exercise or defence of legal rights
- We need to process it for reasons of substantial public interest as defined in legislation
Finally, some data processing will be carried out by the School based on consent, for example marketing activities and the use of personal data such as photographic images of pupils and staff on the School website and on the School’s social media channels, in accordance with the School’s Data Protection Policy.
Consent may be withdrawn at any time, by contacting the Data Protection Officer at [email protected].
TYPES OF PERSONAL DATA WE PROCESS
We process personal data about prospective, current and former pupils and their parents; staff, alumni and other donors and supporters. The personal data we process takes different forms – it may be factual information, expressions of opinion, images or other recorded information which identifies or relates to a living individual. Examples include:
- names, addresses, telephone numbers, e-mail addresses and other contact details;
- family details and where appropriate, information about individuals’ health and welfare;
- nationality of pupils
- bank details and other financial information e.g. about parents who pay fees to the School, bursary assessment or for fund-raising
- past, present and prospective pupils’ admissions, academic, disciplinary and other education related records, information about special educational needs, references, examination scripts and marks;
- education and employment data, including references given or received by the School about pupils, and relevant information provided by previous educational establishments and/or other professionals or organisations working with pupils;
- personal files, including in connection with academics, employment or safeguarding;
- images, audio and video recordings;
- courses, meetings or events attended;
- correspondence with and concerning staff, pupils and parents past and present; and
- images of pupils and employees engaging in School activities, and images captured by the School’s CCTV system (in accordance with the School’s Data Protection Policy).
HOW WE COLLECT, HANDLE AND SHARE PERSONAL DATA
We collect most of the personal data we process directly from the individual concerned (or in the case of pupils, from their parents). This may be via a form, electronically, or in the course of interaction or communication (including email or written assessments). In some cases, we collect and share data with third parties. For example:
- professional advisers (e.g. lawyers, insurers, PR advisers and accountants);
- government authorities (e.g. French authorities, HMRC, DfE, police or the local authority);
- appropriate regulatory bodies such as OFSTED and the Information Commissioner; and
- schools to be attended by current or former pupils
- examination boards
- School doctors
For the most part, personal data collected by the School will remain within the School, and will be processed by appropriate individuals only in accordance with access protocols (i.e. on a ‘need to know’ basis). Particularly strict rules of access apply in the context of:
- medical records held and accessed only by the School doctor, or otherwise in accordance with express consent; and
- pastoral or safeguarding files.
However, a certain amount of any SEND pupil’s relevant information will need to be provided to staff more widely in the context of providing the necessary care and education that the pupil requires.
The School is under duties imposed by law and statutory guidance (including Keeping Children Safe in Education) to record or report incidents and concerns that arise or are reported to it, in some cases regardless of whether they are proven, if they meet a certain threshold of seriousness in their nature or regularity.
This is likely to include file notes on personnel or safeguarding files, and in some cases referrals to relevant authorities such as the police. For further information about this, please view the School’s Child Protection – Safeguarding Policy.
Finally, some of the School’s processing activity is carried out on its behalf by third parties, such as IT systems, freelance contractors or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the School’s specific directions.
NATIONAL PUPIL DATABASE (NPD)
We are required to provide information about pupils to the Department for Education as part of statutory data collections.
Some of this information is then stored in the National Pupil Database (NPD), which is owned and managed by the Department and provides evidence on school performance to inform research.
The database is held electronically so it can easily be turned into statistics. The information is securely collected from a range of sources including schools, local authorities and exam boards.
The Department for Education may share information from the NPD with third parties, such as other organisations which promote children’s education or wellbeing in England. These third parties must agree to strict terms and conditions about how they will use the data.
For more information, see the Department’s web page on how it collects and shares research data.
You can also contact the Department for Education with any further questions about the NPD.
TRANSFERS ABROAD
We may share personal information about you with international third parties, where different data protection legislation applies. Where we transfer your personal data to a third-party country or territory, we will do so in accordance with UK Data Protection Law. In cases where we have to set up safeguarding arrangements to complete this transfer, you can get a copy of these arrangements by contacting us.
HOW LONG WE KEEP PERSONAL DATA
The School will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Typically, the legal recommendation for how long to keep ordinary staff and pupil personal files is up to 6 years following departure from the School. However, incident reports and safeguarding files will need to be kept much longer, in accordance with specific legal requirements. If you have any specific queries about how we retain information, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact the Data Protection Officer at [email protected]. However, please bear in mind that the School will often have lawful and necessary reasons to hold on to some personal data even following such a request.
KEEPING IN TOUCH
The School will use the contact details of parents, alumni and other members of the School community to keep them updated about the activities of the School, or alumni and parent events of interest, including by sending updates and newsletters, by email and by post.
Following an initial contact, any subsequent data processing for these purposes will be based on consent. Consent may be withdrawn at any time, by contacting the Data Protection Officer at [email protected]. However, the School is nonetheless likely to retain some of your details (not least to ensure that no more communications are sent to that particular address, email or telephone number).
We fundraise from individuals, companies and foundations who want to support the School and do so in accordance with the Fundraising Regulator Code of Practice. We may analyse publicly available data about potential donors (e.g. from LinkedIn, Companies House, Who’s Who, articles in publications) to create a profile of interests and preferences so that we can make appropriate requests.
YOUR RIGHTS
How to access the personal information we hold about you
Individuals have a right to make a ‘subject access request’ (SAR) to gain access to personal information that the School holds about them.
If you make a SAR, and if we do hold information about you, we will (subject to any exemptions that may apply):
- Give you a description of it
- Tell you why we are holding and processing it, and how long we will keep it for
- Explain where we got it from, if not from you
- Tell you who it has been, or will be, shared with
- Let you know whether any automated decision-making is being applied to the data, and any consequences of this
- Give you a copy of the information in an intelligible form.
You may also have a right for your personal information to be transmitted electronically to another organisation in certain circumstances. If you would like to make a request, please contact our DPO (see ‘Contact us’ below).
Your other rights regarding your data
Under UK data protection law, individuals have certain rights regarding how their personal data is used and kept safe. For example, you have the right to:
- Object to the use of your personal data if it would cause, or is causing, damage or distress
- Prevent your data being used to send direct marketing
- Object to and challenge the use of your personal data for decisions being taken by automated means (by a computer or machine, rather than a person)
- In certain circumstances, have inaccurate personal data corrected, deleted or destroyed, or restrict processing
- Withdraw your consent, where you previously provided it for the collection, processing or transfer of your personal data for a specific purpose
- In certain circumstances, be notified of a data breach
- Make a complaint to the Information Commissioner’s Office
- Claim compensation for damages caused by a breach of the data protection regulations.
To exercise any of these rights, please contact us (see ‘Contact us’ below) our DPO.
Requests that cannot be fulfilled – You should be aware that the right of access is limited to your own personal data, and certain data is exempt from the right of access. This will include information which identifies other individuals (and parents need to be aware this may include their own children, in certain limited situations – please see further below), or information which is subject to legal privilege (for example legal advice given to or sought by the School, or documents prepared in connection with a legal action).
The School is also not required to disclose any pupil examination scripts (or information consisting solely of pupil test answers), provide examination or other test marks ahead of any ordinary publication, nor share any confidential reference given by the School itself for the purposes of the education, training or employment of any individual.
You may have heard of the “right to be forgotten”. However, we will sometimes have compelling reasons to refuse specific requests to amend, delete or stop processing your (or your child’s) personal data: for example, a legal requirement, or where it falls within a legitimate interest identified in this Privacy Notice. All such requests will be considered on their own merits.
Pupils’ Requests - pupils can make subject access requests for their own personal data, provided that, in the reasonable opinion of the School, they have sufficient maturity to understand the request they are making (see section Whose Rights? below). The School will consider that all pupils aged 13 and above have sufficient maturity for this purpose. A pupil of any age may ask a parent or other representative to make a subject access request on his/her behalf.
Indeed, while a person with parental responsibility will generally be entitled to make a subject access request on behalf of younger pupils, the law still considers the information in question to be the child’s: for older pupils, the parent making the request may need to evidence their child’s authority for the specific request.
Pupils aged 13 and above are generally assumed to have this level of maturity, although this will depend on both the child and the personal data requested, including any relevant circumstances at home.
Parental Requests - It should be clearly understood that the rules on subject access are not the sole basis on which information requests are handled. Parents may not have a statutory right to information, but they and others will often have a legitimate interest or expectation in receiving certain information about pupils without their consent. The School may consider there are lawful grounds for sharing with or without reference to that pupil.
Parents will in general receive educational and pastoral updates about their children. Where parents are separated, the School will in most cases aim to provide the same information to each person with parental responsibility, but may need to factor in all the circumstances including the express wishes of the child. All information requests from, on behalf of, or concerning pupils – whether made under subject access or simply as an incidental request – will therefore be considered on a case by case basis.
Consent - Where the School is relying on consent as a means to process personal data, any person may withdraw this consent at any time (subject to similar age considerations as above). Examples where we do rely on consent are use of photographic images on our website and social media platforms.
Please be aware however that the School may not be relying on consent but have another lawful reason to process the data in question, even without your consent. That reason will usually have been asserted under this Privacy Notice, or may otherwise exist under some form of contract or agreement with the individual (e.g. a contract, or because a purchase of goods, services or membership of an organisation such as a parents’ association has been requested).
Whose Rights? - The rights under Data Protection Law belong to the individual to whom the data relates. However, the School will often rely on parental authority or notice for the necessary ways it processes personal data relating to pupils – for example, under the parent contract, or via a form. Parents and pupils should be aware that this is not necessarily the same as the School relying on strict consent (see section on Consent above).
Where consent is required, it may in some cases be necessary or appropriate – given the nature of the processing in question, and the pupil’s age and understanding – to seek the pupil’s consent. Parents should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents’ rights at law or under their contract, and taking account of all the circumstances.
In general, the School will assume that pupils’ consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the pupil’s activities, progress and behaviour, and in the interests of the pupil’s welfare. That is unless, in the School’s opinion, there is a good reason to do otherwise. However, where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, the School may be under an obligation to maintain confidentiality unless, in the School’s opinion, there is a good reason to do otherwise; for example where the School believes disclosure will be in the best interests of the pupil or other pupils, or if required by law.
Pupils are required to respect the personal data and privacy of others, and to comply with the School’s Data Protection Policy and general School rules. Employees are covered under the same policy.
DATA ACCURACY AND SECURITY
The School will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Parents and pupils must notify the Registrar on ccm@eifaschool.com of any significant changes to important information, such as contact details, held about them. For any changes relating to information held about past, present or prospective staff, please contact dos@eifaschool.com. Alternatively, you may contact the DPO directly on [email protected].
An individual has the right to request that any out-of-date, irrelevant or inaccurate information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law): please see above for details of why the School may need to process your data and who you may contact if you disagree.
The School will take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to School systems. All staff and directors will be made aware of these policies and their duties under Data Protection Law and receive relevant training.
COMPLAINTS
We take any complaints about our collection and use of personal information very seriously.
If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concerns about our data processing, please raise this with us in the first instance.
To make a complaint, please contact our DPO. Alternatively, you can make a complaint to the Information Commissioner’s Office:
- Report a concern online at https://ico.org.uk/concerns/
- Call 0303 123 1113
- Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.