WHY WE NEED TO PROCESS PERSONAL DATA
In order to carry out our ordinary duties to participants and customers, NSSO may need to process a range of personal data about past, current and prospective participants and customers as part of its daily operation. Such as:
• For the purposes of enrolling new and existing students on NSSO courses and services (and to confirm the identity of prospective clients);
• To provide pastoral care to students on our residential courses;
• To manage relationships with participants and parents/guardians of participants;
• Maintaining relationships with the NSSO community, including direct marketing activity;
• For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law;
• To enable relevant authorities to monitor NSSO’s performance and to intervene or assist with incidents as appropriate;
• To carry out NSSO’s safeguarding obligations whilst students are in the care of NSSO;
• To monitor (as appropriate) use of Malvern College’s IT and communications systems in accordance with the College’s Policy one the Acceptable use of ICT and e-Safety;
• To make use of photographic images of users in NSSO publications, on the NSSO website and (where appropriate) on NSSO’s social media channels;
• Where otherwise reasonably necessary for NSSO’s purposes, including to obtain appropriate professional advice and insurance for NSSO.
TYPES OF PERSONAL DATA PROCESSED BY NSSO
• names, addresses, telephone numbers, email addresses, school information and other contact details
• medical information relating to students in the care of NSSO
• communication record (letter, email or SMS)
• credit/debit card details in the case of customers asking to pay invoices by this means;
• images of students, parents and host families (in accordance with Malvern College’s policy on taking, storing and using images of children);
LEGAL BASIS FOR PROCESSING DATA
NSSO expects that much of its data processing may fall within the category of its (or its community’s) “legitimate interests” provided that these are not outweighed by the impact on individuals and provided it does not involve special or sensitive types of data.
Some activity NSSO will need to carry out in order to fulfil its “legal rights, duties or obligations” for example where clients or host families are in a contractual relationship with NSSO.
There may be occasions when NSSO will act in the “vital interests” of preventing someone from being seriously harmed or killed.
HOW NSSO COLLECTS DATA
Generally, NSSO receives personal data from parents directly via application forms. Additional information relating to participants is provided by third parties (such as schools or instrumental teachers) through confidential references and Disclosure and Barring Service (DBS) checks which are taken up by NSSO. Personal information may be provided via a form, or simply in the ordinary course of interaction or communication (such as email or telephone conversations).
WHO HAS ACCESS TO PERSONAL DATA AND WHO NSSO
Occasionally, NSSO will need to share personal information relating to its community with third parties, such as professional advisers (lawyers and accountants) or relevant authorities (HMRC, police or the local authority).
For the most part, personal data collected by NSSO will remain within NSSO, Malvern College Enterprises and Malvern College, and will be processed by appropriate individuals only in accordance with access protocols (i.e. on a ‘need to know’ basis).
A participant’s personal data will also be shared with relevant staff at NSSO in order to co-ordinate the student’s care and welfare.
In accordance with Data Protection Law (including GDPR – the General Data Protection Regulation), some of NSSO’s processing activity is carried out on its behalf by third parties – our trusted and contracted suppliers – such as IT systems (MemberPress and Gravity Forms), web developers (We Are Beard) or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the NSSO specific directions, i.e. your data will never be used by these suppliers for their own benefit or marketing purposes.
HOW LONG WE KEEP PERSONAL DATA
NSSO will retain personal data securely (stored in our CRM system) and only in line with how long it is necessary to keep for a legitimate and lawful reason. Any sensitive personal data relating to parents and participants will be destroyed within 12 months of the end of the last course attended by the participant, unless they subsequently enroll for a new course. Credit/debit card details are only taken at the request of users, generally by telephone call, and are destroyed immediately if submitted on a form. They are never recorded on any NSSO system.
Incident reports and files relating to the safeguarding of children will need to be kept much longer, in accordance with specific legal requirements. It should also be noted that fully-selective deletion of data from the NSSO Management Information Systems may not always be possible for technical reasons.
If you have any specific queries about how this policy is applied, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact Malvern College’s Commercial Manager, Ms Sally Ann Young. However, please bear in mind that NSSO, Malvern College Enterprises Ltd and Malvern College may have lawful and necessary reasons to hold on to some data.
Individuals have various rights under Data Protection Law to access and understand personal data about them held by NSSO, and in some cases ask for it to be erased or amended or for NSSO to stop processing it, but subject to certain exemptions and limitations.
If you wish to exercise any of these rights you should put your request in writing to Malvern College’s Commercial Manager, Ms Sally Ann Young.
NSSO will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month in the case of requests for access to information. NSSO will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, NSSO may ask you to reconsider or charge a proportionate fee, but only where Data Protection Law allows it.
You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal professional privilege.
Data Protection Law provides you with the following rights:
The right of access
Your right to obtain confirmation as to whether or not personal data are being processed, and, where that is the case, access to the personal data along with details regarding the nature of processing.
The right of rectification
Your right to obtain the rectification of inaccurate personal data.
The right of portability
Your right to receive the personal data concerning provided to us, in a structured, commonly used and machine-readable format.
The right to be forgotten
Your right to erase your personal data.
The right to restrict processing
your right for your data to be effectively ‘frozen’; stored and not further processed.
The right to object
ACCESS REQUESTS – YOUNGER USERS
Children whose personal data is held by NSSO (i.e. players in any one of our orchestras or courses) can make subject access requests for their own personal data, provided that, in the reasonable opinion of NSSO, they have sufficient maturity to understand the request they are making (see section Whose Rights below). Indeed, while a person with parental responsibility will generally be entitled to make a subject access request on behalf of younger children, the information in question is always considered to be the child’s at law.
A child of any age may ask a parent or other representative to make a subject access request on his/her behalf. Moreover (if of sufficient age) their consent or authority may need to be sought by the parent making such a request. This will depend on both the individual child and the personal data requested, including any relevant circumstances at home. All information requests from, or on behalf of, children – whether made under subject access or simply as an incidental request – will therefore be considered on a case by case basis.
Where NSSO is relying on consent as a means to process personal data (for the example the use of images for marketing purposes), any person may withdraw this consent at any time (subject to similar age considerations as above). Please be aware however that NSSO may have another lawful reason to process the personal data in question even without your consent.
That reason will usually have been asserted under this Privacy Notice, or may otherwise exist under some form of contract or agreement with the individual or because a purchase of goods, services or membership has been requested.
The rights under Data Protection Law belong to the individual to whom the data relates. However, NSSO will often rely on parental consent to process personal data relating to children (if consent is required) unless, given the nature of the processing in question, and the child’s age and understanding, it is more appropriate to rely on the child’s consent.
Parents should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents’ rights at law or under their contract, and all the circumstances.
In general, NSSO will assume that children’s consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the child’s academic progress, and in the interests of the child’s welfare, unless, in NSSO’s opinion, there is a good reason to do otherwise.
However, where a child seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, NSSO may be under an obligation to maintain confidentiality unless, in NSSO’s opinion, there is a good reason to do otherwise; for example where NSSO’s believes disclosure will be in the best interests of the child or other children, or if required by law.
DATA ACCURACY AND SECURITY
NSSO will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must please notify [firstname.lastname@example.org] of any significant changes to important information, such as contact details, held about them.
An individual has the right to request that any out-of-date, irrelevant or inaccurate or information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law): please see above for details of why NSSO may need to process your data, of whom you may contact if you disagree.
NSSO will take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to NSSO systems. All staff will be made aware of this policy and their duties under Data Protection Law and receive relevant training.
NSSO will update this Privacy Notice from time to time. Any substantial changes that affect your rights will be provided to you directly as far as is reasonably practicable.
QUERIES AND COMPLAINTS
Any comments or queries on this policy should be directed to Ms Sally Ann Young, Commercial Manager.
If you believe that NSSO has not complied with this policy or acted otherwise than in accordance with Data Protection Law, you should notify the Commercial Manager. You can lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with NSSO before involving the regulator.