The General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 give you the right to be informed about how we process your personal information. The information below supports this right.
Intro
Education Training Collective is the data controller for purposes of data protection. We are committed to protecting the personal information of all our staff, students, parents, visitors, employers and partners. The College recognises its obligations to keep personal information secure and believes it is important for you to know how we treat personal information.
Who is Education Training Collective?
Education Training Collective is a group of education institutions, representing Stockton Riverside College, SRC Bede Sixth Form, Redcar and Cleveland College, NETA Training Group, Tees Valley Catering and Skills Academy.
We are happy to receive feedback to make this statement more user-friendly. Please contact us.
Data Protection Officer
Education Training Collective
Harvard Avenue
Thornaby
TS17 6FB
United Kingdom
Lawful Basis
Education Training Collective processes personal information about its staff, students, visitors and wider community under a lawful basis, as defined in the UK Data Protection Act 2018 and UK GDPR.
Legitimate Interest
In all our operations as a Further Education College Group, we use the ‘legitimate interest’ lawful basis for processing in relation to delivering our services and meeting the high expectations of our staff, students and visitors.
Consent
Sometimes, there will be situations where a staff member, student, or visitor may wish to engage with additional services or opportunities. For processing personal information in this way, we seek direct consent. This may be consent from the individual or consent from a parent or carer (depending on the individual’s ability to understand how giving consent might affect them).
We will always use ‘opted in’ consent to send you targeted marketing information. We will ensure that our marketing practices comply with the Privacy and Electronic Communications Regulation (PECR).
Contract
Some of our work with third parties (commercial or otherwise) requires us to create data sharing relationships. Whether either party is acting in a Controller or Processor role, we will always aim to use a Contract as a basis for sharing personal data and will apply data sharing compliance through a Data Sharing Agreement (the Contract, or written form of how we’ll do things).
Legal Obligation
Some information will be processed under a Legal Obligation and this usually relates to financial information, governance and corporate functions. In reference to students, we are under a legal obligation to share personal information with Local Authorities (Section 72 of the Education and Skills Act 2008).
Such information includes:
(a) the name, address and date of birth of the pupil or student;
(b) the name and address of a parent of the pupil or student;
(c) information in the institution’s possession about the pupil or student.
Where a student has not reached the age of 16, their own and their parents’ information will not be shared.
Vital Interests
We may be relied upon to provide personal information to the Emergency Services or other agencies in order for them to save a life or where an imminent or potential threat to life or health exists. We will disclose (only the required) information to these agencies under these circumstances.
Public Task
On occasion, we will be required to disclose personal information to the police for the purpose of the prevention or detection of a crime. As this purpose would be to protect the general public, we will share such information under the legal basis of a Public Task. Where special category personal data is involved and we decide to disclose information, we will also rely on the Condition of a ‘substantial public interest’ (in the prevention or detection of an unlawful act). We will not always be able to let data subjects know that we have disclosed their personal information to the police, but we will keep a record of this decision.
Collection
Education Training Collective may collect your personal information.
How we collect
The methods we use (electronic form, application form, enrolment form, etc) will inform users at the point of data collection that they are submitting personal information to the College. When personal information is collected (in Enquiry Forms or Application Forms, etc), the College will provide the reason for collecting the information and how the information will be used.
Where all such data collection takes place online, a secure, encrypted connection is presented to users to protect the data they are submitting. Furthermore, once that data has been safely collected by the system, only authorised personnel will have access to that data, offering additional security.
Our student loan devices contain software that monitors compliance with our Acceptable Use Policy and helps to keep our IT estate from being misused (whether for criminal activity or for inappropriate usage).
Staff Recruitment: Please note that we will carry out online searches for all successful candidates in line with Keeping Children Safe In Education.
We may also collect personal information, submitted voluntarily, about users from their use of our own social media pages. Users should note that information submitted to social media pages is not, in the first instance, collected by us, or held on our servers, but by the third party service provider such as Facebook, Twitter, etc. However, once we have collected such personal information from the external service provider, only appropriately authorised personnel will have access to this information.
We may share personal information with third party organisations (data processors) that we have engaged to provide services to us (safeguarding and cyber security service providers, etc), or with whom we have a legal duty to share information, such as funding bodies, examination boards, local authorities, etc. Such organisations are bound by the same regulations as us to use personal information only for the performance of a legal or authorised purpose.
We do not process personal data for any purposes or under any bases not listed here. If we wish to use your personal data for new purposes, we will ask for your permission directly first.
Security
Security of Collected Information
We maintain strict physical, electronic and administrative safeguards to protect users’ personal information from unauthorised or inappropriate access. Employees, business partners and affiliates who misuse a user’s personal information are subject to disciplinary actions.
CCTV
Our campuses and buildings utilise fixed-camera Closed Circuit Television systems (CCTV). These are in place for the safety and security of our staff, students, visitors and property.
CCTV Storage
We store images on our CCTV systems for up to 30 days. We may be required to securely store captured images for longer to support internal or external investigations conducted by ‘competent authorities’ such as the police, etc.
Portable CCTV
Some of our staff are authorised to use portable, College-owned devices as an extension of our fixed CCTV cameras in order to safeguard persons and property. These images are captured in line with current regulations, our CCTV procedures and the facility to capture images in this way was introduced subsequent to guidance from the UK data protection regulator, the Information Commissioner’s Office (ICO).
Access Barriers
Where Access Barriers are used across our sites, it is for the purpose of safeguarding the students, staff and visitors on our campuses.
We do not use the barriers for general or targeted surveillance of individuals. However, we may use the data to help support the emergency services during emergency situations (ie, where a person may be unaccounted for in the building).
Confidentiality
Website
We always give our website visitors a secure connection to allow them to submit personal data to us via our online forms.
Online Payments
Additionally, visitors will always be given access to a secure website such as WorldPay in order to submit financial data for reasons of paying for services. We do not retain your credit / debit card numbers in these instances; you are sharing this financial data directly with WorldPay, etc.
We have implemented industry standard security codes of practice, rules and technical measures to protect the personal data that we have under our control to prevent:
- unauthorised access
- improper use or disclosure
- unauthorised modification
- unlawful destruction or accidental loss
All our employees and data processors (others with whom we share personal information [exam boards, employers, local authority, care agencies, financial support agencies, higher education institutes, etc]) are required to respect the confidentiality of your personal data under the strict regulation of the UK General Data Protection Regulation ( UK GDPR) and the UK Data Protection Act 2018. We have Data Sharing Agreements in place with appropriate third-parties.
We ensure that your personal data will not be disclosed to third-party institutions and authorities except if required by law or statutory regulation.
Etc. WiFi
The free wireless connectivity available to all staff, students and guests is secured by industry standard technology to safeguard users’ personal information. In order to do this, the connection is monitored and protected by our firewall, which is made possible when users install our security certificate on their device. The types of ‘personal information’ our wireless network firewall processes is:
- Websites visited
- Device ID (IP address and MAC address)
- Associated activity
Users’ non-network email account usernames and passwords (Gmail, Hotmail, etc) and other online accounts (banking, etc), including passwords, are not stored on our systems, they are kept on the users’ device.
In addition, we do not collect personal information, or track usage when users are not connecting to the internet through our firewall or controlled devices. The security certificate only grants users access through our wireless service, it does not collect or retain information from a user’s device, or track users’ device activity generally.
We monitor both inbound and outbound traffic in order to protect users’ personal information, their device and its contents.
In connecting to our wireless network, users will be expected to abide by our service terms of use and agree to have the information mentioned above monitored and recorded in the firewall logs. These logs are only kept for as long as we need them and no longer.
Your Rights
Be Informed
You have the right to be informed about how we use your personal information, with whom we share it and how you can exercise your rights.
Access
You have the right to access the personal information we hold about you.
Access to the personal data we may hold about you.
You can submit a query to us regarding personal data by completing a Data Subject Access Request form, available by clicking this link;
You can exercise your rights by contacting data@the-etc.ac.uk
The form is offered for your convenience; we will still process your Data Subject Access Request if you send us your request in another format (own letter, email, etc). It is not essential to use the form, but it does offer guidance in terms of the detail we need to help you gain access to the information you require in a timely and efficient manner. It also gives you a secure means to submit proof of identity and proof of representation documents to us (see below), as appropriate. Submitting ID at the time of the request saves time and gets you the information you requested without delay.
Please submit completed SARs to the Data Protection Officer, along with:
- Proof of identity (a current Passport or Driving License)
- Proof of Authorisation (if making a request on behalf of another person)
If a third party is acting on your behalf, we will need proof that you have given them permission to act for you, your proof of ID and the representative’s proof of ID.
We will then determine if you are entitled to receive copies of all or some of your personal information. Where you do have access rights, we provide you with your personal data without undue delay, or within one month of ID validation. We allow you to challenge the data that we hold about you and, where appropriate, you may have the data:
- erased (where not exempt)
- rectified or amended
Rectify, erase or port
Rectify
If we have any of your information wrong, you have the right to instruct us to rectify that information.
Erase
You have the right to have your personal information erased from our system or any system with which we share your personal information. Simply let us know and we’ll remove it.
However, this right relates to any information that you have given us and where we are not also obliged to retain it for lawful purposes. Information that we have created as part of your relationship with us, does not have to be deleted, although you still have the right to access this information. In addition, we may not erase (or disclose) information where an event such as a legal investigation would override your request.
Portability
You have the right to have your personal information ‘ported’, or transferred anywhere you like (an employer, another college, etc). Again, this only applies to personal information you have given us directly.
All the usual ID checks will also apply before we process a request.
Object
You have the right to object to any automated personal data processing that we may do.
This usually means by any automated means, such as profiling, but you can also object to your personal data being used for marketing purposes.
We don’t use your personal information for marketing purposes unless you have agreed to this at the initial point of us collecting your data.
Restrictions
The College may not be required to process any request if it falls within one of the following categories:
- (a) national security;
- (b) defence;
- (c) public security;
- (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
- (e) other important objectives of general public interest of the EU or the UK, in particular an important economic or financial interest of the EU or UK, including monetary, budgetary and taxation matters, public health and social security;
- (f) the protection of judicial independence and judicial proceedings;
- (g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
- (h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
- (i) the protection of the data subject or the rights and freedoms of others;
- (j) the enforcement of civil law claims.
Public Access to information via FOI and EIR
As a public authority for the purposes of Freedom of Information Act 2000 and the Environmental Information Regulation 2004, we are subject to public requests for information, which may include generic information about how we operate and some personal information we process. We will always process this in accordance with the interests, rights and freedoms of data subjects and considering whether disclosure would contravene principle (a) of the UK GDPR (Processing must be lawful, fair and transparent).
Contact
Privacy Support
If you have an enquiry or concern about our privacy policy, please contact:
Data Protection Officer
Education Training Collective,
Harvard Avenue,
Thornaby,
Stockton-on-Tees,
TS17 6FB
If, subsequent to our response, you are not satisfied, you may wish to write to the Information Commissioner’s Office, or, subsequently, take other action.