About this Privacy Statement
This Privacy Statement explains how personal data is processed by Sevenoaks School, a registered charity (No. 1101358) and a company limited by guarantee (No. 04908949). It also encompasses data processing by the School’s trading company Sennocke Services Ltd (No. 01980362) and The Friends of Sevenoaks School charity (No. 1164214).
Use of the term ‘the School’ refers to Sevenoaks School, and its associated entities Sennocke Services Limited and Friends of Sevenoaks. Where there is a need to describe the data processing arrangements between the three entities, they are separately identified.
This Privacy Statement also describes how data is processed in conjunction with The Sevenoaks School Foundation (The Foundation), a separate charity with the object of the advancement of Sevenoaks School. The Foundation’s Privacy Statement may be viewed at https://inspire.sevenoaksschool.org
The School is a data controller of your personal data for the purposes of the Data Protection Act 2018 and the EU General Data Protection Regulation 2016 and we take our responsibilities as a controller of data very seriously. This Privacy Statement sets out how the School obtains, processes and protects your personal data, and how we manage our commitment and responsibility to you. It also explains the legal rights that you have in relation to your personal data. If you have any questions about your personal data or its use, please contact the Clerk by email at email@example.com
Types of personal data we process
The School processes personal data about prospective, current and former students and their parents; School staff; suppliers and contractors; commercial customers of Sennocke Services Ltd, and other individuals connected to or visiting the School.
Data processed by the School takes different forms. It may be factual information, expressions of opinion, images or other recorded information which identifies or relates to a living individual.
Examples of data held include:
• name, title, date of birth and gender;
• contact details including address, email, phone numbers;
• occupations and professional activities;
• family and spouse/partner details;
• admissions, academic, disciplinary and other educational records, information about special educational needs, references, examination scripts and marks;
• information related to the health and wellbeing of students;
• education and employment data;
• images, audio and video recordings including CCTV;
• financial information (e.g. for bursary assessment or for fundraising);
• courses, meetings or events attended;
• We also need to process “special category personal data” for certain purposes. i.e. personal data relating to an individual’s health, sex life or sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade union membership.
Purposes for which we process personal data
We process personal data to support the School’s operation as an independent day and boarding school, and in particular for:
• The assessment, selection and admission of students;
• All administration relating to the delivery of education, including curriculum and timetable, monitoring and reporting on pupil progress, administration of examinations and the provision of pupil references (including after the student has left);
• Educational support and co-curricular activities including library services, higher education advice, administration of School sports and trips, and provision of School IT; • The safeguarding and wellbeing of pupils through the provision of pastoral care, and health care services;
• Compliance with legislation and regulation including information required for inspection by the Independent Schools Inspectorate and the provision of annual census information to the Independent Schools Council and Department for Education; • School administration including the management of pupil records, finance (including fees, invoices and accounts), the management and security of School property, including the provision of identity cards and CCTV, planning research and analysis, and the application of School rules;
• Promoting and marketing the School;
• The provision to parents, students and staff of sports services provided by the Sennocke Centre, under the management of Sennocke Services Ltd;
• The opportunity to attend events managed by The Space, under the management of Sennocke Services Ltd;
• The management of our relationships with commercial customers of Sennocke Services Ltd;
• The involvement of parents and staff with The Friends of Sevenoaks School whose object is to engage in activities that advance the education of the students of Sevenoaks School.
• The management of our community education engagement activities
Fundraising and Keeping in Touch
Development and alumni activities in support of Sevenoaks School are managed by the Sevenoaks School Foundation. Please see their separate Privacy Statement for details of the Foundation’s approach to safeguarding your data, and how you may manage preferences, particularly after a pupil has left the School.
How we collect, process and share information about you
We collect most of the personal data we process directly from the individuals concerned, or in the case of pupils, from their parents. We also collect some data from third parties, including referees, previous schools, the Disclosure and Barring Service, professionals or authorities working with the individual, or from publicly available resources.
The School has put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Our online forms that are used to collect personal data such as event booking forms are encrypted. Our network is securely protected and monitored. Our policies on the use of information systems and devices are rigorous. The School undertakes regular reviews of people with access to the information it holds to ensure that it is only available to appropriately trained staff and vetted contractors. Further details of our security measures are available on request from firstname.lastname@example.org
We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We may transfer information we process about you to countries outside the EU which do not provide the same level of data protection as the country in which you reside, for example, where your data is being held on our behalf by third party service providers whose servers are geographically located outside the EU. Where this happens, in order to ensure that your personal information is adequately protected we have put in place measures to ensure that your personal information is treated by those third parties in a way that is consistent with and respects the EU and UK laws on data protection such as standard contractual clauses which have been approved by the European Commission.
In the day to day running of the School, we process and share personal data (including special category personal data where appropriate) with third parties such as the School’s professional advisers, the Local Safeguarding Board, the Disclosure and Barring Service, UK Visas and Immigration, HM Revenue and Customs the Department for Education, and third party service providers such as our website hoster.
Information is shared between Sevenoaks School and the Foundation on the basis of the shared objectives and legitimate interests of both organisations. Whereas the School is a controller of personal data primarily for the purposes of providing education and pastoral care of its students, the Foundation is a controller of personal data for the purposes of marketing, development and fundraising, and administering the School’s alumni association (Old Sennockians.) Where it is appropriate and lawful to do so, the School will share personal data with the Foundation and vice versa for their respective purposes. Where personal data is shared, it is always in compliance with our data protection laws. For more information about how the Foundation process personal data please read their Privacy Statement at https://inspire.sevenoaksschool.org/privacy-statement.
Information is also shared between the School, Sennocke Services Ltd and Friends of Sevenoaks, again on the basis of the shared objectives and on the legal basis that it is in the legitimate interest of all three associated organisations.
The legal basis for processing your personal data
We will process your personal data on the basis of one or more legal grounds depending upon the specific purpose for which we are using your information, but in most cases, the legal basis falls into one of the following categories below. (Where appropriate, we have also identified our legitimate interests in processing your personal data.)
• For contractual purposes:
o E.g. we need to process personal data in order to fulfil our duties and obligations under the parent contract including the provision of education and pastoral care.
• Where you have provided your consent:
o We require your consent to publish images of you on our website and on third party social networking platforms.
o We rely on your consent to send you electronic direct marketing such as email, SMS and telephone.
o We rely on consent to share personal data and special category personal data with third party professionals such as Educational Psychologists for specialist assessment or to examination boards.
o We may rely on consent to share a reference and other information in support of an application to other educational establishments such as universities. Where we rely on your consent to process your personal data, you can withdraw that consent at any time.
• To comply with our legal obligations or for the purposes of substantial public interest:
o E.g. we are required by law to process personal data in order to comply with our safeguarding and other legal obligations. This may involve sharing personal data and special category personal data with other agencies such as the Local Authority.
• Where processing is necessary for the purposes of preventative or occupational medicine or provision of treatment by a health professional:
o E.g. the School’s nurses will collect and process medical data when assessing the medical needs of students or providing them with medical treatment.
• Where the processing is necessary for the purposes of the legitimate interests of the School or the legitimate interests of a third party such as the Foundation or the Friends of Sevenoaks providing these are not overridden by the interests rights and freedoms of individuals and do not involve the processing of special category personal data:
Many of the purposes for which the School processes personal data will be based upon this legal ground. Examples, include:
o We may send you marketing on our own behalf or on behalf of others such as the Friends of Sevenoaks for legitimate business purposes which include raising funds for the School. But you always have the right to control how we go about this by updating your marketing preferences or to stop receiving marketing altogether;
o To give and receive information and references about former, current or prospective students, including information about outstanding fees or payment history;
o To appropriately monitor use of the School’s IT and communications system so as to ensure that it is being used in accordance with School policy and the law;
o To lawfully monitor School buildings and individuals using CCTV for the prevention and detection of crime, for the safety of our students, staff and visitors and to protect School buildings and property;
o For the purposes of management planning and forecasting, research and statistical analysis such as diversity or gender pay gap analysis;
o We transfer personal data between the Foundation and the School for legitimate and reasonable purposes where those purposes assist the Foundation with its fundraising objective or to protect the School’s interests. e.g. where it is necessary to understand any conflict of interest which may arise in the context of a donation.
The School may also process personal data where it is necessary to protect the vital interests of an individual or where it is necessary to do so in the context of legal claims and proceedings in order to protect the interests of the School, our staff or our students.
How long will the School keep your personal data?
Your personal data will be retained securely for so long as is necessary to fulfil the purposes we collected it for but including for the purposes of satisfying any legal*, accounting or reporting requirements and where required to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Upon expiry of the applicable retention period we will securely destroy your personal data in accordance with data protection law or other applicable regulation. If you have any specific questions about retention of your information please contact email@example.com
Under Data Protection Law you have the right to:
• Obtain access to, and copies of, the personal data we hold about you;
o The School is required to respond within one month. But please note, we may be able to respond more quickly to targeted requests for information. If your request is manifestly excessive or similar to previous requests, we may ask you to reconsider or charge a fee where the law permits us to do so.
o The School may legally withhold your personal data in certain circumstances. For example, where making the information available to you would reveal personal data about another person. The School is also legally entitled to withhold information that is legally privileged, references given or to be given in confidence for employment or educational purposes and student examination scripts.
• Correct any inaccurate data we hold about you;
• Ask for data about you to be amended or erased, subject to certain limitations;
• Ask us not to send you communications;
• Withdraw your consent to any further processing, where the School is relying on consent as a ground for processing;
• In certain circumstances receive data in a reasonable format specified by you;
• Request the restriction of the processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
• Object to the processing of your personal data where we are relying on a legitimate interest (or the legitimate interest of a third party) and there is something about your particular situation which makes you want to object to the processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
If you wish to access or amend your personal data or object to how it is used, please contact Gail Jones, Clerk to the Governors, in writing or by email to: firstname.lastname@example.org. We will respond as soon as we can, and certainly within the statutory time limits.
If you fail to provide personal data to us
Where we need to process your personal data in order to comply with a law (for instance, in relation to necessary checks with the Disclosure and Barring Service) or under the terms of a contract we have with you and you fail to provide the personal data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with employment or admit your child to the School). In these sort of circumstances, we may have to decline to provide you with a service or enter into a contract with you, but we will notify you if this is the case at the time the personal data is collected.
If you wish to exercise any of the rights you have in relation to your personal data please contact email@example.com. We will respond as soon as reasonably practicable, and certainly within the statutory time limits.
Where consent is necessary for the processing of student data, we will rely on parental consent unless, given the nature of the processing in question and the student’s age and understanding, it is more appropriate to rely on the student’s consent. Parents may not always be consulted. This will depend on the interest of the child, the parents’ rights under their contract or other legal rights, and the precise nature of the circumstances.
Apart from in exceptional circumstances, a student’s consent will not be required to keep parents informed about the pupil’s progress, activities, behaviour and welfare. Where a pupil raises a confidential matter and expressly withholds their consent to disclosure to their parents there may be an obligation to maintain confidentiality. Alternatively the School may take the decision that disclosure is in the best interest of the student or students, or may be required by law.
Students may make subject access requests for their own personal data, provided they have sufficient maturity to understand the request they are making. Requests can be made by a parent or other person on behalf of a student. However, if the School deems that the student has sufficient maturity, it may require their consent before their personal data is disclosed to their parent or other representative.
Keeping your information up to date
The School has a responsibility to keep your information accurate and up to date. To help us with this task you should inform us of any changes. You can amend your data with us at any time, and we will remind you of this in all communications we send.
Children and privacy
The safety and welfare of pupils is paramount. The School will not, for example, use individual student stories without parental and student’s consent. Images which do not intrude on individual privacy may be used in accordance with School policy.
Your comments and feedback will help us to learn and improve. If you wish to communicate with us about any aspect of your experience of the School, please contact firstname.lastname@example.org.
If you are not satisfied with our response you can make a complaint to the Information Commissioners Office (ICO).
Changes to our privacy statement
The School may change this policy from time to time. If we make significant changes in the way we treat your information we will make this clear on the School website or by contacting you directly.
If you have any questions about this Privacy Statement please contact Gail Jones, Clerk to the Governors, Sevenoaks School, High Street, Kent, TN13 1HU. email@example.com