The General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 give you the right to be informed about how we process your personal information. The information below supports this right.
Education Training Collective is the data controller for purposes of data protection. We are committed to protecting the personal information of all our staff, students, parents, visitors, employers and partners. The College recognises its obligations to keep personal information secure and believes it is important for you to know how we treat personal information.
Who is Education Training Collective?
Education Training Collective is a group of education institutions, representing Stockton Riverside College, SRC Bede Sixth Form, Redcar and Cleveland College, NETA Training Group, Tees Valley Catering and Skills Academy.
We are happy to receive feedback to make this statement more user-friendly. Please contact us.
Data Protection Officer
Education Training Collective
Education Training Collective processes personal information about its staff, students, visitors and wider community under a lawful basis, as defined in the UK Data Protection Act 2018 and UK GDPR.
In all our operations as a Further Education College Group, we use the ‘legitimate interest’ lawful basis for processing in relation to delivering our services and meeting the high expectations of our staff, students and visitors.
Sometimes, there will be situations where a staff member, student, or visitor may wish to engage with additional services or opportunities. For processing personal information in this way, we seek direct consent. This may be consent from the individual or consent from a parent or carer (depending on the individual’s ability to understand how giving consent might affect them).
We will always use ‘opted in’ consent to send you targeted marketing information. We will ensure that our marketing practices comply with the Privacy and Electronic Communications Regulation (PECR).
Some of our work with third parties (commercial or otherwise) requires us to create data sharing relationships. Whether either party is acting in a Controller or Processor role, we will always aim to use a Contract as a basis for sharing personal data and will apply data sharing compliance through a Data Sharing Agreement (the Contract, or written form of how we’ll do things).
Some information will be processed under a Legal Obligation and this usually relates to financial information, governance and corporate functions. In reference to students, we are under a legal obligation to share personal information with Local Authorities (Section 72 of the Education and Skills Act 2008).
Such information includes:
(a) the name, address and date of birth of the pupil or student;
(b) the name and address of a parent of the pupil or student;
(c) information in the institution’s possession about the pupil or student.
Where a student has not reached the age of 16, their own and their parents’ information will not be shared.
We may be relied upon to provide personal information to the Emergency Services or other agencies in order for them to save a life or where an imminent or potential threat to life or health exists. We will disclose (only the required) information to these agencies under these circumstances.
On occasion, we will be required to disclose personal information to the police for the purpose of the prevention or detection of a crime. As this purpose would be to protect the general public, we will share such information under the legal basis of a Public Task. Where special category personal data is involved and we decide to disclose information, we will also rely on the Condition of a ‘substantial public interest’ (in the prevention or detection of an unlawful act). We will not always be able to let data subjects know that we have disclosed their personal information to the police, but we will keep a record of this decision.
Education Training Collective may collect your personal information.
How we collect
The methods we use (electronic form, application form, enrolment form, etc) will inform users at the point of data collection that they are submitting personal information to the College. When personal information is collected (in Enquiry Forms or Application Forms, etc), the College will provide the reason for collecting the information and how the information will be used.
Where all such data collection takes place online, a secure, encrypted connection is presented to users to protect the data they are submitting. Furthermore, once that data has been safely collected by the system, only authorised personnel will have access to that data, offering additional security.
Our student loan devices contain software that monitors compliance with our Acceptable Use Policy and helps to keep our IT estate from being misused (whether for criminal activity or for inappropriate usage).
Staff Recruitment: Please note that we will carry out online searches for all successful candidates in line with Keeping Children Safe In Education.
We may also collect personal information, submitted voluntarily, about users from their use of our own social media pages. Users should note that information submitted to social media pages is not, in the first instance, collected by us, or held on our servers, but by the third party service provider such as Facebook, Twitter, etc. However, once we have collected such personal information from the external service provider, only appropriately authorised personnel will have access to this information.
We may share personal information with third party organisations (data processors) that we have engaged to provide services to us (safeguarding and cyber security service providers, etc), or with whom we have a legal duty to share information, such as funding bodies, examination boards, local authorities, etc. Such organisations are bound by the same regulations as us to use personal information only for the performance of a legal or authorised purpose.
We do not process personal data for any purposes or under any bases not listed here. If we wish to use your personal data for new purposes, we will ask for your permission directly first.
Under the ‘legitimate interest’ lawful purpose for processing personal data we will sometimes share the personal information of employees, students, visitors, etc with third parties.
We share information in two ways:
- One off sharing
- Systematic sharing
One off sharing is where we share information with a third parties once a year or rarely (ad hoc).
Systematic sharing is when we share information on a regular or ongoing basis.
In all cases, we will use the most relevant method for sharing personal information and will aim to have an agreed Data Sharing Agreement in place in the form of a contract, agreement or other formal arrangement, so that each party understands how, when, why and by whom data can be shared.
We may share personal information with a range of third parties. The categories of which are as follows:
- Local authorities (and their associated services)
- Schools (to support transitions)
- Employment agencies (to facilitate non-salaried staff)
- Employers (and potential employers, re: references, work experience, placements, etc)
- ESFA (funding body – attendance, achievement, actual destinations, etc – legal duty)
- The Police (prevention and detection of crime, investigations)
- DBS and background check agencies (for safeguarding)
- Exam boards (certification, results, access arrangements)
- Safeguarding and Security service / software providers
- Other agencies where the sharing is in the best interests of the data subject.
Sharing information with parents / carers.
The people you live with, or know you well are the best people to support you during your time in Further Education. With this in mind we may need to send out information relating to your attendance, achievement and any general information which relates specifically to your course or place of study. The types of general information may include details of college closure, updates regarding parent/carer events, updates relating to impact of external issues such as with the COVID pandemic. We will never use this information to send promotional content. We share this information under a lawful basis of legitimate interests.
We may be required to share personal information before, during or after your relationship with us is established (employee, student, visitor, etc).
Actual Destination Data
An example of data shared afterwards is Actual Destination data, which we must provide to the Education and Skills Funding Agency (ESFA). We contact ex-students between October (after the course ends) and March (of the following calendar year). We have a legal duty to provide this information. We may call, email, text or write to you. This is not a marketing communication, but one which allows us to meet our legal duty.
We want to protect your personal data, but we do not wish to hinder your chances of establishing or moving on with your career or life goals. If we have shared your personal information in a way that you do not like, please let us know and we will do our best to fix the issue.
Security of Collected Information
We maintain strict physical, electronic and administrative safeguards to protect users’ personal information from unauthorised or inappropriate access. Employees, business partners and affiliates who misuse a user’s personal information are subject to disciplinary actions.
Our campuses and buildings utilise fixed-camera Closed Circuit Television systems (CCTV). These are in place for the safety and security of our staff, students, visitors and property.
We store images on our CCTV systems for up to 30 days. We may be required to securely store captured images for longer to support internal or external investigations conducted by ‘competent authorities’ such as the police, etc.
Some of our staff are authorised to use portable, College-owned devices as an extension of our fixed CCTV cameras in order to safeguard persons and property. These images are captured in line with current regulations, our CCTV procedures and the facility to capture images in this way was introduced subsequent to guidance from the UK data protection regulator, the Information Commissioner’s Office (ICO).
Where Access Barriers are used across our sites, it is for the purpose of safeguarding the students, staff and visitors on our campuses.
We do not use the barriers for general or targeted surveillance of individuals. However, we may use the data to help support the emergency services during emergency situations (ie, where a person may be unaccounted for in the building).
We always give our website visitors a secure connection to allow them to submit personal data to us via our online forms.
Additionally, visitors will always be given access to a secure website such as WorldPay in order to submit financial data for reasons of paying for services. We do not retain your credit / debit card numbers in these instances; you are sharing this financial data directly with WorldPay, etc.
We have implemented industry standard security codes of practice, rules and technical measures to protect the personal data that we have under our control to prevent:
- unauthorised access
- improper use or disclosure
- unauthorised modification
- unlawful destruction or accidental loss
All our employees and data processors (others with whom we share personal information [exam boards, employers, local authority, care agencies, financial support agencies, higher education institutes, etc]) are required to respect the confidentiality of your personal data under the strict regulation of the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We have Data Sharing Agreements in place with appropriate third-parties.
We ensure that your personal data will not be disclosed to third-party institutions and authorities except if required by law or statutory regulation.
The free wireless connectivity available to all staff, students and guests is secured by industry standard technology to safeguard users’ personal information. In order to do this, the connection is monitored and protected by our firewall, which is made possible when users install our security certificate on their device. The types of ‘personal information’ our wireless network firewall processes is:
- Websites visited
- Device ID (IP address and MAC address)
- Associated activity
Users’ non-network email account usernames and passwords (Gmail, Hotmail, etc) and other online accounts (banking, etc), including passwords, are not stored on our systems, they are kept on the users’ device.
In addition, we do not collect personal information, or track usage when users are not connecting to the internet through our firewall or controlled devices. The security certificate only grants users access through our wireless service, it does not collect or retain information from a user’s device, or track users’ device activity generally.
We monitor both inbound and outbound traffic in order to protect users’ personal information, their device and its contents.
You have the right to be informed about how we use your personal information, with whom we share it and how you can exercise your rights.
You have the right to access the personal information we hold about you.
Access to the personal data we may hold about you.
You can submit a query to us regarding personal data by completing a Data Subject Access Request form, available by clicking this link;
The form is offered for your convenience; we will still process your Data Subject Access Request if you send us your request in another format (own letter, email, etc). It is not essential to use the form, but it does offer guidance in terms of the detail we need to help you gain access to the information you require in a timely and efficient manner. It also gives you a secure means to submit proof of identity and proof of representation documents to us (see below), as appropriate. Submitting ID at the time of the request saves time and gets you the information you requested without delay.
Please submit completed SARs to the Data Protection Officer, along with:
- Proof of identity (a current Passport or Driving License)
- Proof of Authorisation (if making a request on behalf of another person)
If a third party is acting on your behalf, we will need proof that you have given them permission to act for you, your proof of ID and the representative’s proof of ID.
We will then determine if you are entitled to receive copies of all or some of your personal information. Where you do have access rights, we provide you with your personal data without undue delay, or within one month of ID validation. We allow you to challenge the data that we hold about you and, where appropriate, you may have the data:
- erased (where not exempt)
- rectified or amended
Rectify, erase or port
If we have any of your information wrong, you have the right to instruct us to rectify that information.
You have the right to have your personal information erased from our system or any system with which we share your personal information. Simply let us know and we’ll remove it.
However, this right relates to any information that you have given us and where we are not also obliged to retain it for lawful purposes. Information that we have created as part of your relationship with us, does not have to be deleted, although you still have the right to access this information. In addition, we may not erase (or disclose) information where an event such as a legal investigation would override your request.
You have the right to have your personal information ‘ported’, or transferred anywhere you like (an employer, another college, etc). Again, this only applies to personal information you have given us directly.
All the usual ID checks will also apply before we process a request.
You have the right to object to any automated personal data processing that we may do.
This usually means by any automated means, such as profiling, but you can also object to your personal data being used for marketing purposes.
We don’t use your personal information for marketing purposes unless you have agreed to this at the initial point of us collecting your data.
The College may not be required to process any request if it falls within one of the following categories:
- (a) national security;
- (b) defence;
- (c) public security;
- (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
- (e) other important objectives of general public interest of the EU or the UK, in particular an important economic or financial interest of the EU or UK, including monetary, budgetary and taxation matters, public health and social security;
- (f) the protection of judicial independence and judicial proceedings;
- (g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
- (h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
- (i) the protection of the data subject or the rights and freedoms of others;
- (j) the enforcement of civil law claims.
Data Protection Officer
Education Training Collective,
If, subsequent to our response, you are not satisfied, you may wish to write to the Information Commissioner’s Office, or, subsequently, take other action.
To comply with government legislation and rules, we may be required to take non-contact body temperatures, manage records of those suffering coronavirus symptoms (and those who have come into close contact with a person suffering from the virus itself), record class seating arrangements, or process other personal and sensitive information in order to monitor the coronovirus in our buildings. We process this personal information under the lawful basis of a legal duty.
Digital Content and Streaming
In line with legislation and/or government guidance and our own safeguarding procedures, we may process personal information by using safe, authenticated digital technologies to share conversations, learning content and other digitised content which may take the form of text, links, audio, video or all media formats. Our lawful basis for processing in this way remains the same: Legitimate Interest. Typically, we use Microsoft Teams to share these interactions. We may, at times, use other software for this purpose. Advice and guidance is available from tutors in relation to the safety and security of platforms. Information is also available from the software vendor: https://www.microsoft.com/en-gb/trust-center?rtc=1