Privacy Notice

Privacy Notice for Visitors and Hirers

 

Under data protection law, individuals have a right to be informed how Chiltern Hills Academy uses any personal data that we hold about them. We comply with this right by providing privacy notices to individuals where we are processing their personal data.

 

This privacy notice explains how we collect, use, store and share personal data about visitors to the Academy and hirers of the Academy.

 

We (Chiltern Hills Academy) aim to ensure that all personal data is collected, stored and processed in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (DPA 2018).

 

We (Chiltern Hills Academy) are a data controller for the purposes of Data Protection Law.

 

Contact details for our Data Protection Officer are listed below (see ‘Contact’).


The personal data we hold

Personal data that we may collect, use, store and share (when appropriate) about you includes, but is not restricted to:

       Name and contact details

       Information relating to the visit or hire such as company or organisation name, arrival and departure time, vehicle details

       Bank account details (if applicable)

       Insurance details (if applicable)

We may also collect, store and use information about you that falls into ‘special categories’ of more sensitive personal data. This includes, but is not restricted to, information about:

       Information about any access requirements

       Photographs and CCTV images captured in the Academy

We may also use, store and share data about you that we have received from other organisations, including other schools and social services.

Why we use this data

The purpose of processing this data is to support the Academy to:

       Identify you and keep you safe while on the Academy site

       Keep students, staff and visitors safe while you are on the Academy site

       Maintain accurate records of visits to the school

       Ensure that appropriate access arrangements can be provided for individuals who require them

       To enable the Academy to hire facilities to you

Use of your personal data in automated decision making and profiling

We do not currently process any personal data through automated decision making or profiling. If this changes in the future, we will amend any relevant privacy notices in order to explain the processing to you, including your right to object to it.


Our lawful basis for using this data

Our lawful bases for processing your personal data for the purposes listed above are in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR).

 

We will only process personal data where we have one of 6 ‘lawful bases’ (legal reasons) to do so:

·         The data needs to be processed so that the Academy can fulfil a contract with the individual, or the individual has asked the Academy to take specific steps before entering into a contract

·         The data needs to be processed so that the Academy can comply with a legal obligation

·         The data needs to be processed to ensure the vital interests of the individual or another person e.g. to protect someone’s life

·         The data needs to be processed so that the Academy, as a public authority, can perform a task in the public interest or exercise its official authority

·         The data needs to be processed for the legitimate interests of the Academy (where the processing is not for any tasks the Academy performs as a public authority) or a third party, provided the individual’s rights and freedoms are not overridden

·         The individual has freely given clear consent

 

Where you have provided us with consent to use your data, you may withdraw this consent at any time. We will make this clear when requesting your consent, and explain how you would go about withdrawing consent if you wish to do so.

 

Our basis for using special category data

 

For ‘special category’ data, we only collect and use it where we have both a lawful basis, as set out above, and one of the following conditions as set out in data protection law:

 

·         We have obtained your explicit consent to use your personal data in a certain way

·         We need to perform or exercise an obligation or right in relation to employment, social security or social protection law

·         We need to protect an individual’s vital interests (i.e. protect your life or someone else’s life), in situations where you’re physically or legally incapable of giving consent

·         The data concerned has already been made manifestly public by you

·         We need to process it for the establishment, exercise or defence of legal claims

·         We need to process it for reasons of substantial public interest as defined in legislation

·         We need to process it for health or social care purposes, and the processing is done by, or under the direction of, a health or social work professional or by any other person obliged to confidentiality under law

·         We need to process it for public health reasons, and the processing is done by, or under the direction of, a health professional or by any other person obliged to confidentiality under law

·         We need to process it for archiving purposes, scientific or historical research purposes, or for statistical purposes, and the processing is in the public interest

 

For criminal offence data, we will only collect and use it when we have both a lawful basis, as set out above, and a condition for processing as set out in data protection law. Conditions include:

 

·         We have obtained your consent to use it in a specific way

·         We need to protect an individual’s vital interests (i.e. protect your life or someone else’s life), in situations where you’re physically or legally incapable of giving consent

·         The data concerned has already been made manifestly public by you

·         We need to process it for, or in connection with, legal proceedings, to obtain legal advice, or for the establishment, exercise or defence of legal rights

·         We need to process it for reasons of substantial public interest as defined in legislation

 

Collecting this data

While the majority of information we collect from you is mandatory, there is some information that can be provided voluntarily.

Whenever we seek to collect information from you, we make it clear whether you must provide this information (and if so, what the possible consequences are of not complying), or whether you have a choice.

Most of the data we hold about you will come from you, but we may also hold data about you from local authorities, government departments or agencies, police forces, courts or tribunals.

How we store this data

Personal data is stored in accordance with our Data Protection Policy.

We keep personal information about you while you are visiting our Academy. We may also keep it beyond your visit if this is necessary. We create and maintain electronic records and files for individuals hiring our Academy. The information is kept secure and is only used for purposes directly relevant to your hire of the Academy.

We will retain and dispose of your personal information in accordance with the Information and Records Management Society’s toolkit for schools.

 

 

 

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

 

We will dispose of your personal data securely when we no longer need it.


Data sharing

We do not share information about you with any third party without consent unless the law and our policies allow us to do so.

Where it is legally required, or necessary (and it complies with data protection law), we may share personal information about you with:

       The Academy sponsors (Diocese of Oxford, Buckinghamshire County Council)

       Government departments or agencies

       Local Authority – to meet our legal obligations to share certain information such as safeguarding concerns

       Our regulators [Ofsted, SIAMS]

       Non-Academy employees such as Governors

       Suppliers and service providers – to enable them to provide the service we have contracted them for, such as BookingsPlus

       Our auditors

       Financial organisations

       Professional advisors and consultants

       Health and social welfare organisations

       Police forces, courts, tribunals

Transferring data internationally

Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.

In cases where we have to set up safeguarding arrangements to complete this transfer, you can get a copy of these arrangements by contacting us.

Your rights

a. How to access personal information we hold about you

Individuals have a right to make a ‘subject access request’ to gain access to personal information that the Academy holds about them.

If you make a subject access request, and if we do hold information about you, we will:

       Give you a description of it

       Tell you why we are holding and processing it, and how long we will keep it for

       Explain where we got it from, if not from you

       Tell you who it has been, or will be, shared with

       Let you know whether any automated decision-making is being applied to the data, and any consequences of this

       Give you a copy of the information in an intelligible form

You may also have the right for your personal information to be transmitted electronically to another organisation in certain circumstances.

If you would like to make a request, please contact our Data Protection Officer.

b. Your other rights regarding your data

Under data protection law, individuals have certain rights regarding how their personal data is used and kept safe. You have the right to:

       Object to the use of your personal data

       Prevent your data being used to send direct marketing

       Object to and challenge the use of your personal data for decisions being taken by automated means (by a computer or machine, rather than by a person)

       In certain circumstances, have inaccurate personal data corrected, have the personal data we hold about you deleted or destroyed, or restrict processing

       In certain circumstances, be notified of a data breach

       Make a complaint to the Information Commissioner’s Office

       Claim compensation for damages caused by a breach of the data protection regulations

To exercise any of these rights, please contact our Data Protection Officer.

Complaints

We take any complaints about our collection and use of personal information very seriously.

If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.

To make a complaint, please contact our Data Protection Officer.

Alternatively, you can make a complaint to the Information Commissioner’s Office:  

       Report a concern online at https://ico.org.uk/concerns/

       Call 0303 123 1113

       Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Contact

If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact our Data Protection Officer:

 

Data Protection Officer

Jane Selvey

Chiltern Hills Academy

Chartridge Lane

Chesham

Buckinghamshire

HP5 2RG

Email:              dataprotection@chacademy.co.uk

Telephone:      01494 782066

 

 

This notice is based on the The Key for School Leaders model Privacy Notice for visitors, amended to reflect the way we use data in Chiltern Hills Academy.