Privacy Policy
Group Privacy Policy
Introduction
1. This Privacy Notice (Notice) is to help you understand how and why we collect personal information about you and what we do with that information. It also explains the decisions that you can make about your own information.
2. If you have any questions about this Notice please contact the Group Director of ICT.
3. This Notice is aimed at all Stowe Group colleagues (including employees, Governors, volunteers and certain contractors and agency colleague) and applicants for employment vacancies. This Notice does not form part of your contract of employment and the Stowe Group may amend this Notice at any time.
What is personal information?
4. Personal information is information which is about you and from which you can be identified.
5. This includes your contact details, next of kin and financial information. We will also hold information such as your religion or ethnic group for the purposes of statistical data. CCTV, photos and video recordings of you are also personal information.
What personal information does the Stowe Group hold about you and how is this obtained?
6. We set out below examples of the personal information the Stowe Group holds about you and where this personal information comes from
7. Information about you is gathered during the recruitment process, for example:
7.1 information about your education, qualifications and professional achievements;
7.2 when you provide certain information to us, for example, on your application form and during any interviews; and
7.3 when we receive your personal information (from you and third parties) in carrying out pre-employment checks, for example, when we receive references, confirmation of your fitness to work, your right to work in the UK and criminal records checks.
8. We will hold information about your job performance. This includes information about skills, achievements, career progression, performance and disciplinary-related matters.
9. We hold and use your financial information, such as your bank details, your salary and pension details.
10. Where appropriate, the Stowe Group will have information about your religious beliefs and practices, for example, if you do not eat certain foods.
11. We will hold information about any physical or mental health condition you may have which is disclosed to the Stowe Group during the recruitment process or at any stage during your employment.
12. We will hold information about any protected characteristics you may have (e.g. a disability) which you provide, for example on our electronic HR system.
13. Your personal information will be created internally by the Stowe Group during the course of your employment. A correspondence from the Academic Lead to a colleague complimenting them on class management would be an example of this.
14. Your personal information may be acquired from outside of the Stowe Group community such as from occupational health practitioners or from public authorities such as the Police or the Local Authority Designated Officer.
15. Pupils will often provide us with your personal information, for example, if a pupil emails their form teacher to say how much they are helping them with their work.
16. Your personal information will be held on the Single Central Register.
Our legal bases for using your information
17. This section contains information about the legal bases that we are relying on when handling your information.
18. The two tables below contain a general description of the different legal bases so that you can see which bases we are relying on for each of the purposes described at paragraphs 20 to 39 below.
19. If we do not have a contract with you, for example, if you are a Governor or volunteer, we will not rely on the contractual basis ("CT") to use your information.
|
Legitimate interests ("LI") This means that the Stowe Group is using your information when this is necessary for the Group's legitimate interests except when your interests and fundamental rights override our legitimate interests. Specifically, the Stowe Group has a legitimate interest in:
In addition, your personal information may be processed for the legitimate interests of others. For example with external activity providers if they need to contact you directly or for their own emergency or insurance purposes. Necessary for contract ("CT") We will need to use your information in order to comply with our contractual obligations and for you to perform your obligations as well. For example:
Legal obligation ("LO") As a Group of Schools we have to comply with various laws and this entitles us to use your information where necessary. For example:
Vital interests We may use your information where this is necessary to protect your vital interests or someone else's, for example, to prevent someone from being seriously harmed or killed. Performance of a task carried out in the public interest (or carrying out public tasks) ("PI") The following are examples of when we use your information to perform tasks in the public interest:
|
The Stowe Group must also comply with an additional condition where it processes special categories of personal information. These special categories are as follows: personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic information, biometric information, health information, and information about sex life or orientation.
The bases that we are relying on to process special categories of personal information are set out below:
|
Employment, social security and social protection ("ESP") The processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Stowe Group and colleagues in the field of employment, social security or social protection. Social security and protection is concerned with preventing, managing, and overcoming situations that adversely affect people’s wellbeing. For example, sometimes this would allow us to disclose your information to third parties such as the DBS or occupational health services. More detail of when we will do so is set out below. Vital interests To protect the vital interests of any person where that person cannot give consent, for example, if they are seriously hurt and are unconscious. Legal claims ("LC") The processing is necessary for the establishment, exercise or defence of legal claims. This allows us to share information with our legal advisors and insurers. Medical purposes ("MP") This includes medical treatment and the management of healthcare services. Substantial public interest ("SPI") The Stowe Group is also allowed to use special categories of personal information where doing so is necessary in the substantial public interest. This is similar to "Public interest" in the table above. |
Why does the Stowe Group use your personal information?
20. The letters below refer to the legal bases we are relying on, please see the section above for an explanation.
21. We commonly use personal information for:
21.1. providing education and support to our pupils - LI, PI, SPI;
21.2. ensuring that we provide a safe and secure work environment - LI, PI, ESP, SPI;
21.3. providing employment services (such as payroll) - LI, CT;
21.4. providing training and support- LI, PI, SPI;
21.5. protecting and promoting the Stowe Group's interests and objectives (including fundraising) - LI;
21.6. personnel, administrative and management purposes and to enable us to meet our legal obligations as an employer, for example, to pay colleagues and to monitor their performance - LI, CT, LO, PI, ESP, SPI;
21.7. safeguarding and promoting the welfare of all colleagues and pupils - LI, PI, ESP, SPI; and
21.8. fulfilling our contractual and other legal obligations - CT, LO, ESP.
22.Some specific examples of when the Stowe Group uses your personal information are set out below:
22.1 We use your personal information to consider your suitability to work in your role within the Stowe Group - LI, LO, PI, SPI.
22.2. We will check that you have the right to work in the UK by reviewing your identification documents and keeping copies on your personnel file - LI, LO.
22.3 Before finalising your contract of employment, we will check your online digital presence, using third party provider. In line with requirements from KCSIE. – LI, LO
22.4. We will use your personal information in addressing any performance or disciplinary concerns which arise - LI.
22.5. We will use information relating to any medical condition you may have in order to verify fitness to work, monitor sickness absence and comply with our duty of care towards you - LI, MP.
22.6. We will use your information when dealing with complaints and grievances with which you are involved (e.g. from other colleagues, pupils and parents) - LI.
22.7. We often use photographs and video recordings of colleagues for marketing and promotion purposes. This will include in Stowe Group School publications, in social media and on the Stowe Group School websites - LI.
22.8 We will also allow external publication of certain media where appropriate (for example, a photograph or article in a local newspaper) - LI.
22.9 We may also make recordings for teaching purposes, for example, recording a drama lesson to provide feedback to you or pupils. We may also record lessons for pupils who were not able to attend in person - LI, PI, SPI.
22.10 We use CCTV recordings for the purposes of crime prevention and investigation and also in connection with our obligation to safeguard the welfare of pupils, colleagues and visitors to the Stowe Group sites. Further information about the use of CCTV can be found in the Stowe Group CCTV policy - LI, PI, SPI.
22.11. The Stowe Group regularly monitors and accesses its IT system for purposes connected with the operation of the Schools. The Stowe Group IT system includes any hardware, software, email account, computer, device or telephone provided by the Stowe Group or used for School business. The Stowe Group may also monitor accounting information regarding colleague use of the Stowe Group telephones - LI, PI, SPI.
22.12. Voicemail messages are protected using a PIN number and colleagues going away for long periods would be expected to leave extended greeting messages and use the out of office email facility. In exceptional circumstances access to colleague communications over Stowe Group School systems may be sought using the procedures below - LI, PI, SPI.
22.13.Exceptional monitoring and access to communications will only be allowed to ensure the Stowe Group fulfils its legal obligations, including the investigation of serious breaches of the Stowe Group policies and procedures, for example, to investigate allegations that a colleague has been using their email account to send abusive or inappropriate messages.
22.14. Communications Access Procedure:
A member of the Executive Management Team (ELT) or Senior Leadership Team (SLT) will make a request to the Group Director of ICT for approval. This will include:
a) the information that is required and b) the reason for the request.
Monitoring may be carried out on a random basis and it may be carried out in response to a specific incident or concern - LI.
22.15. The Stowe Group also uses software which automatically monitors and logs the use of the Stowe Group IT systems, for example, it would log the event if a colleague visited a blocked website - LI.
22.16. The monitoring and reviews are carried out by the IT Manager under instruction from the Group Director of ICT. If anything of concern is revealed as a result of such monitoring and reviews, then this information may be shared with the relevant Head, Group People Director or appropriate members of the ELT and this may result in disciplinary action. In exceptional circumstances concerns will need to be referred to external agencies such as the Police - LI
22.17. We may use your information when ensuring network and information security, for example, our anti-virus software might scan files containing information about you - LI.
22.18. We will send you information about how to support the Stowe Gorup, for example fundraising opportunities - LI.
22.19. We may keep details of your address when you leave our employment so we can keep in touch - LI.
22.20. If we provide you with accommodation under your contract we will use your personal information as part of this provision - LI, CT, PI, ESP, SPI.
22.21. We can keep information about you for a very long time or even indefinitely if we need this for historical, research or statistical purposes, for example, if we consider the information might be useful if someone wanted to write a book about the Stowe Group - LI.
22.22. We will send you information to keep you up to date with what is happening within the Stowe Group, for example, by sending you information about events and activities taking place (including fundraising events) and the relevant School newsletter. For details of how the Stowe Group uses your personal information for fundraising purposes please see our Fundraising Privacy Notice - LI.
22.23. We may also pass your details onto the alumni organisation - LI.
23. If you fail to provide certain information when requested, we may not be able to perform our obligations under the contract of employment or agreement we have entered into with you (such as paying you or providing a benefit). Alternatively, we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our colleagues).
How does the Stowe Group share colleague personal information with third parties?
24. We will need to share your information with:
24.1. the DBS and / or the National College for Teaching and Leadership (NCTL) (if applicable) / online digital presence checking company when complying with our legal duty to carry out pre-appointment suitability checks - LI, LO, PI, ESP, SPI; and
24.2. the DBS and / or the NCTL (if applicable) if circumstances arise in which we are required to make a referral to either or both of these bodies - LI, LO, PI, ESP, SPI.
25. To fulfil our obligations to you as an employer we will need to share your information with medical professionals, such as occupational health services or where we are making a referral - LI, CT, MP
26. Occasionally we may use consultants, experts and other advisors (including legal advisors and accountants) to assist us in fulfilling our obligations and to help run the Schools within the Stowe Group properly. We will share your information with them if this is relevant to the work they carry out - LI, PI, ESP, LC, SPI.
27. In accordance with our legal obligations, we will share information with the Independent Schools Inspectorate / Ofsted, for example, during the course of an inspection, and may need to share your information with the Department for Education - LI, LO, PI, ESP, SPI.
28. As an employer we must check if you can work in the UK before we employ you. Additionally, if you are sponsored by us under Tier 2 or Tier 5 in certain circumstances we will have to provide information about you to UK Visas and Immigration (UKVI) to comply with our duties as a Tier 2/5 sponsor - LI, LO, SPI.
29. We may share some of your information with our insurance company or benefit providers, for example, where there is a serious incident within the Stowe Group or to ensure that you are able to take advantage of the benefit - LI, LC.
30. We may share your information with benefit providers, for example, to ensure that you are able to take advantage of the benefit - LI, CT, PI, ESP, SPI.
31. We may need to share information about you with the Health and Safety Executive (a government organisation) if there is a health and safety issue within the Stowe Group - LI, LO, PI, ESP, SPI.
32. The Stowe Group is a charity which means that in exceptional circumstances we may need to share your information with the Charity Commission, e.g. in the event of a serious incident - LI, LO, PI, ESP, SPI.
33. If the Stowe Group is dealing with a complaint or grievance (e.g. from a colleague or a parent), we will need to share your information with other parties if it is relevant, for example, the appropriate colleague at the School, the colleague or parents making the complaint and Governors - LI, PI, SPI.
34. If appropriate, we will share your information with individuals connected to the Schools who are exercising their data protection rights, for example, when responding to a subject access request - LI, LO.
35. We will share personal information about a colleague with the relevant statutory agencies if it is appropriate to share this information to investigate allegations of misconduct - LI, LO, PI, ESP, SPI.
36. On occasion, we may need to share your information with the Police for the prevention and investigation of crime and the prosecution of offenders. We will only do this in specific circumstances to assist the Police with their investigations. In exceptional circumstances, CCTV and Automatic Number Plate Recognition (ANPR) recordings may be disclosed to third parties such as the Police - LI, LO, PI, ESP, SPI.
37. If appropriate, we will share your information with parents and pupils where this is related to your professional duties, such as information about the subjects you teach - LI, PI, ESP, SPI.
38. We may need to share your information if there is an emergency, for example, if you are hurt in an accident - LI, PI, ESP, SPI.
39. We sometimes use contractors to handle personal information on our behalf. The following are some examples:
39.1. our Management Information Systems provider(s);
39.2. IT consultants who might access information about you when checking the security of our IT network; and
39.3. we use third party "cloud computing" services to store some information rather than the information being stored on hard drives located on the Stowe Group School sites.
Transfers of your personal information overseas
40. We may send your information to countries which do not have the same level of protection for personal information as there is in the UK. For example, we may communicate with you using your work email address when you are overseas (for example, when you are on holiday).
41. The European Commission has produced a list of countries which have adequate data protection rules.
42. If the country that we are sending your information to is not on the list or is not a country within the EEA (which means the European Union, Liechtenstein, Norway and Iceland), then it might not have the same level of protection for personal information as there is in the UK.
43. We will provide you with details about the safeguards which we have in place outside of this Notice. If you have any questions about the safeguards that are in place, please contact the Privacy Officer.
For how long does the Stowe Group keep colleague personal information?
44. We keep your information for as long as we need to in relation to your employment. We will keep some information after you have left the Stowe Group in case this is needed, for example, in relation to our legal obligations.
45. In exceptional circumstances we may keep your information for a longer time than usual but we would only do so if we had a good reason and only if we are allowed to do so under data protection law.
Processing in line with your rights
46. From May 2018 data protection legislation gives you a number of rights regarding your information. Some of these are new rights whilst others build on your existing rights. Your rights are as follows:
46.1. Rectification: if information the Stowe Group holds about you is incorrect you can ask us to correct it.
46.2. Access: you can also ask what information we hold about you and be provided with a copy of it. This is commonly known as making a subject access request. We will also give you extra information, such as why we use this information about you, where it came from and what types of people we have sent it to.
46.3 Deletion: you can ask us to delete the information that we hold about you in certain circumstances, for example, where we no longer need the information.
46.4. Portability: you can request the transfer of your information to you or to a third party in a format that can be read by computer. This applies where (a) the information has been provided by you; (b) the basis that we are relying on to process your information is consent or contract (please see "Our legal bases for using your information" above); and (c) the information is being processed by us on computer.
46.5. Object: you may object to us using your information where:
46.5.1. we are relying on either the legitimate interests or performance of a task carried out in the public interest legal basis to use it - please see the section "Our legal bases for using your information" above;
46.5.2. we are using it for historical or scientific research purposes or archiving purposes. For example, we may keep photographs of colleague for historical reasons;
46.5.3. we are using it for direct marketing purposes (e.g. to send you the relevant School magazine).
46.6. Restriction: our use of information about you may be restricted in some cases. For example, if you tell us that the information is inaccurate, we can only use it for limited purposes while we check its accuracy.
The Privacy Officer can give you more information about your data protection rights. To exercise any of your rights you can submit your request in writing to the Privacy Officer.
Criminal offence information
47. We may only use information relating to criminal convictions and offences where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations or to exercise our rights or where there is a substantial public interest in doing so.
48. Less commonly, we may use information relating to criminal convictions and offences where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.
Consent
49. We may ask for your consent to use your information in certain ways as an alternative to relying on any of the bases in this Notice. For example, we may ask for your consent before taking or using some photographs and videos if the photograph or video is more intrusive and we cannot rely on legitimate interests. If we ask for your consent to use your personal information you can take back this consent at any time. Any use of your information before you withdraw your consent remains valid. You can speak to the Group Director of ICT or the Privacy Officer if you would like to withdraw any consent given.
More than one basis
50. As you will see from this Notice, in some cases we will rely on more than one basis above for a particular use of your information. In addition, we may move from one of the legal bases listed above to another as circumstances change. For example, as a safeguarding matter becomes more serious, we may start to rely on legal obligation to share personal information with the local authority in addition to the other legal bases which are noted for safeguarding purposes.
|
Author |
Debbie Dickson |
|
Date of Review |
August 2024 |
|
Approving Body |
ELT |
|
Regulatory References |
UK GDPR January 2021 |
|
Data Protection Act 2018 |
|
|
Keeping Children Safe in Education (KCSIE)2024 |
|
|
Next Review |
April 2025 |
Document distribution:
|
All colleagues |