GEORGE HERIOT'S SCHOOL PRIVACY POLICY - HOW WE USE YOUR PERSONAL INFORMATION

 

Who we are


George Heriot's School is operated by George Heriot's Trust (a Scottish Charity, No SC011463) ("Trust/we"). We are part of the "Heriot's Group" which comprises George Heriot's Trust, Heriot Enterprises Limited, The Heriot's Centre for Sport and Exercise Limited, the George Heriot's School Parents' Association, The Heriot Club (the Heriot's former pupil association) and any other similar /affiliated association for former pupils of George Heriot's School.

We are committed to ensuring that your privacy is protected. This policy and our Marketing Policy (see below) set out the basis on which any personal information we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal information and how we will treat it.

For the purpose of the Regulations, the "data controller" is George Heriot's Trust which is registered with the ICO under number Z6111378.

For the purpose of this privacy policy:

"Regulations
" means all laws that relate to data protection, privacy, the use of information relating to individuals, and/or the information rights of individuals including, without limitation, the Data Protection Act 1998, the Privacy and Electronic Communication (EC Directive) Regulations 2003, the Regulation of Investigatory Powers Act 2000, the Telecommunications (lawful Business Practice) (Interception of Communications) Regulations 2000, Privacy and Electronic Communications (EC Directive) Regulations 2003, the Consumer Protection from Unfair Trading Regulations 2008, any Laws in force from time to time in any relevant jurisdiction which implements the Data Protection Directive 1995/46/EC on the protection of individuals with regards to the processing of personal data and on the free movement of such data, General Data Protection Regulation ((EU) 2016/679)), and all and any regulations made under those acts or regulations, all applicable formal or informal guidance, rules, requirements, directions, guidelines, recommendations, advice, codes of practice, policies, measures or publications of the Information Commissioner's Office, other relevant regulator, and or relevant industry body, all as amended or replaced from time to time;


"personal information" means information which relates to a living individual who can be identified
• from the information; or

• from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual; and
"sensitive personal information" means personal information consisting of information as to -
• the racial or ethnic origin of the data subject;

• his political opinions;

• his religious beliefs or other beliefs of a similar nature;

• whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);

• his physical or mental health or condition;

• his sexual life;

• the commission or alleged commission by him of any offence; or

• any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Data protection principles

The following principles which are set out in the Regulations, will apply in connection with the processing of personal information by us:

• the personal information will be processed fairly and lawfully and the data subject (pupil, former pupil, parent or employee) will be advised of its intended use, and, where applicable, their consent shall be obtained (unless such processing is required under any legislation or otherwise required by law);

• the purpose for which the personal information is obtained will be lawful and for specified purposes and will not extend to other uses;

• the personal information held will be adequate, relevant and not excessive for the specified purposes;

• the personal information held will be accurate and, where necessary, kept up to date;

• the personal information shall not be kept for longer than is necessary for the specified purpose;

• the personal information shall be processed in accordance with the rights of data subjects under the Regulations;

• appropriate technical and organisational measures will be taken to ensure security of the personal information; and

• the personal information will not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for the rights and freedom of data subjects.

How we use personal information

Personal information will be processed by us on the basis of: 1) the processing is necessary for the performance of a contract with you (for example for the provision of educational services, or of employment); or 2) the compliance with a legal obligation to which the Trust is subject; or 3) our legitimate interests or those of the party to whom the data is disclosed; or 4) your consent to the processing.

We collect and use personal information (including sensitive personal information) from and about prospective, current and former pupils and from and about parents (which includes guardians, carers, and bill payers) of prospective, current and former pupils. We also collect and use personal information (including sensitive personal information) from and about staff members, past and present, and prospective members of staff. We may receive personal information either directly from you or from someone on your behalf (for example from a parent on behalf of a pupil). We may also receive personal information from other members of the Heriot's Group and from other external agencies.
We use this information for various purposes in connection with the educational services we provide, including but not limited to:

• carrying out our obligations arising from any contracts entered into between you and us;

• assessing applications for places at George Heriot's School;

• maintaining the pupil's educational and welfare records;

• maintaining pupil medical information;

• requesting and collecting payment for services, and credit control;

• payroll administration and payment of wages;

• recruitment and other employment related activities;

• disciplinary or grievance issues;

• statistical analysis;

• alumni information and historical records;

• ensuring that content from our website at www.george-heriots.com ("website") is presented in the most effective manner for you;

• marketing services and fundraising for school development; and

• compliance with applicable legislation.

For some of our activities you will be asked to provide medical, health and lifestyle related information about a pupil or about you as a member of staff in order to enable an assessment to be made that it is safe for that pupil or for you to undertake that activity.

We may use and share personal information (including sensitive personal information) in relation to assessments and actions we may take for child protection purposes under relevant legislation, for example raising a wellbeing concern with the appropriate authorities.

We may from time to time process sensitive personal information relating to parents, pupils and staff. For example, pupils' medical records need to be processed for the provision of health care and general welfare purposes. To comply with safeguarding legislation we may need to process information regarding criminal convictions or alleged offences. Such processing will be undertaken only as and when strictly necessary and with absolute respect to individual confidentiality.

Where sensitive personal information is processed, we will usually seek the explicit consent of the data subject concerned to that processing (where such processing is not otherwise allowed under applicable legislation).
We may use photographs and video images of pupils and staff for internal educational purposes.
CCTV information and images are collected and used for crime prevention and public, pupil, staff and visitor safety. The areas where CCTV cameras are positioned within school grounds are clearly marked with appropriate notices.

Marketing and Fundraising

From time to time we may contact you, with your prior consent, by letter, telephone, email, text message or other form of electronic mail regarding fundraising activities and events, and commercial activities offered by the Heriot's Group or being offered by third parties on our premises. You may opt out of receiving such communications from us at any time, but please note that parents or guardians cannot opt out from receiving information about pupils' educational progress and welfare.

Please see our Marketing Policy for more information on how we may contact you with regard to our marketing activities (where you have consented to this).

Who we share personal information with

We may share personal information within the Heriot's Group for administration, management, statistical analysis, marketing and fundraising purposes (with your consent).

We may disclose personal information to third parties such as first aid providers, professional advisers, SQA, OSCR, and other national external agencies. We may also disclose personal information for the purpose of child protection, credit assessment or fraud prevention, or otherwise as required or permitted by law.

We may from time to time publish photographs or video images of pupils or staff on our website, social media and/or in other publications. Items published will never identify pupils by name (unless we have permission to do so), and we will always seek permission first before publishing such images.
We share standard and limited pupil NHS Health Information with NHS Lothian for the purposes of the National Child Health Program.

Other than as set out above, we will not share your personal information with anyone else without your consent.

Where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal information being disclosed to their parents or guardian, we will maintain confidentiality unless we have reasonable grounds to believe that the pupil does not fully understand the consequences of with-holding his or her consent, or where we believe disclosure will be in the best interests of the pupil or other pupils for their safety or safeguarding.

Security

We are committed to ensuring that your personal information is held and used securely. Your personal information is either stored in a secure database hosted on site, access to which is controlled by appropriate security measures, or in an external "cloud" based system where suitable data sharing and privacy documentation has been checked, or in paper records in a secure filing system. Any externally hosted personal information is hosted within the EEA. In the unlikely event that personal information is hosted outside the EEA we will obtain appropriate confirmation that the host country has equivalent levels of data protection. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure your personal information.

When pupils are out of school on an organised school activity, essential information regarding the pupil and accompanying staff including emergency medical information will be held securely by the trip organiser.
How we use cookies

When we provide services or information, we want to make them easy, useful and reliable. Where services or information are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally.

We will request your consent to use "cookies" when you access our web pages.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to parent needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Google Analytics sets cookies to help us accurately estimate the number of visitors to the website and volumes of usage. This is to ensure that the service is available when you want it and fast.
For further details on the cookies set by Google Analytics, please refer to the Google Code website.
Access to personal information and retention

If you believe that any of your personal information that we hold is inaccurate, out of date or incomplete please send us the correct information and we will promptly update our records. If you wish access to or a copy of your personal information please write to The Bursar and Treasurer, who is our Data Protection Officer, at George Heriot's Trust, Lauriston Place Edinburgh EH3 9HE email trust@george-heriots.com. We may charge a fee of up to £10 for this.

Personal information will be retained for the period we have determined as being required for the category of information to which it belongs, and in compliance with appropriate legislation. Thereafter, except as set out in this policy, it will be securely destroyed.

Summarised pupil and staff files and other categories of personal information form the basis of our formal records and our detailed historical archives and may be retained indefinitely for reference, historical and research purposes.

Policy review and publication

This policy was last reviewed in August 2017. It is published on our website and intranet and a copy is available on request. We intend to review this policy regularly and will publish any changes on our website and intranet and in information provided to prospective parents and pupils.
Further information

If you would like any further information about this policy or how we collect, use or share your personal information please contact the Trust's Data Protection Officer.


Marketing Policy

This is the Marketing Policy referred to in our Privacy Policy. This Marketing Policy together with our Privacy Policy sets out how we may process your personal information for marketing purposes.
Definitions used in the Privacy Policy will have the same meaning when used in this Marketing Policy.

Who we are

George Heriot's School is operated by George Heriot's Trust (a Scottish Charity, No SC011463) ("Trust/we"). We are part of the "Heriot's Group" which comprises George Heriot's Trust, Heriot Enterprises Limited, The Heriot's Centre for Sport and Exercise Limited, the George Heriot's School Parents' Association, The Heriot Club and any other similar /affiliated association for former pupils of George Heriot's School.
What are our marketing activities?
If you consent, we may contact you for the following purposes, either by post or by telephone or by email:

• Periodically we will send you Quadrangle magazine and other news publications;

• We may contact you to tell you about former pupil events or other events being organised by members of the Heriot's Group;

• We may contact you to tell you about our fund raising activities;

• We may contact you to let you know about events and activities taking place on our campus

How do we gain your consent?

When obtaining consent from individuals to process their personal information for marketing purposes, the consent must be:

• freely given - there has to be a genuine choice; for example, consent can't be a condition to using a particular service;

• specific - be clear on both the type of marketing communication (e.g. postal, email, SMS, telephone calls) and who will be doing the marketing (e.g. the Heriot's Group);

• informed - our fair processing notice, i.e. our Privacy Policy and our Marketing Policy, should set out clearly, and in plain English, what the data will be used for; and

• given proactively by an action from the individual - a positive indication is required and can't be inferred simply by you not responding to a communication we have sent you.

Whenever we wish to contact you with regard to the purposes set out in this Marketing Policy, we will ensure that we have first obtained your explicit consent to such contact. We may seek your consent either by contacting you by email), or by post. You may signify your consent by responding to the email or returning a hard copy consent form or by informing us verbally or by telephone.

If at any time you wish to unsubscribe from marketing emails or from receiving materials by post, such emails and any other communications will provide clear instruction on how you can stop receiving these communications.

Who we share personal information with

Our Privacy Policy sets out the circumstances where we may share personal information. Other than as set out in that Policy we will not share your personal information with anyone else without your consent.
Security

Our Privacy Policy sets out our commitment to ensuring that your personal information is held and used securely.

Policy review and publication

This Marketing Policy was last reviewed in August 2017. It is published on our website and a copy is available on request. We intend to review this policy regularly and will publish any changes on our website and in information provided to prospective parents.
Further information
If you would like any further information about this policy or how we collect, use or share your personal information please contact the Trust's Data Protection Officer at trust@george-heriots.com.