1. Data Controller
The City of London Freemen’s School is part of the City of London Corporation (CoL), and it is CoL that is registered with the Information Commissioner’s Office as the Data Controller (registration number Z5996206).
The Data Protection Officer is the CoL Comptroller & City Solicitor, who can be contacted at [email protected].
The Data Protection contact at the School is the Bursar, who can be contacted at [email protected].
This Notice describes how the City of London Freemen’s School (Ashtead Park, Ashtead Surrey, KT21 1ET), collects and uses personal information about you, in accordance with the relevant legislation (United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018).
The Notice will be reviewed periodically and may be updated at any time, we will always inform you of any substantive changes to the way we process your data.
This Notice relates to prospective, current and past staff, pupils and parents. A separate Privacy Notice covers staff, pupils and parents.
In carrying out our day-to-day activities we process and store personal information relating to our supporters. We are therefore required to adhere to the requirements of the Data Protection Act 2018. We take our responsibilities under this act very seriously and ensure that the personal information we obtain is held, used, transferred and processed in accordance with that Act. We also adhere to all other applicable data protection laws and regulations including, but not limited to, the Privacy and Electronic Communications Regulation.
3. Types of data collected and held by the School
When you request information from the School, we will require some personal information about you, including your name, address, email address and telephone number. This information allows the School to fulfil your request and keep you informed. This may be provided by you or third parties electronically or on paper. The data the School holds will be the minimum it requires to form and maintain the contract between you and the School.
Where payments are made to the School, details of payment card numbers and expiry dates will go through a secure server operated by the School's Payment Service Provider.
If you are former pupil, parent or staff
- Your name, title, gender, nationality and date of birth;
- Your home address, email address and telephone numbers;
- Your bank account number, name and sort code (used for processing Direct Debits);
- If you are a tax payer so that we can claim Gift Aid;
- Year at School, leaving date.
We gather personal information from you when you enquire about our activities, register for or sign in at an event, make a donation, volunteer, engage with our social media channels or otherwise provide us with your personal information.
The personal information that we may request when you engage with us might include your name, age, gender preference, location and / or country information, and possibly other information, as well as credit card or other financial information needed to process donations or event fees. We may also ask you if you are a UK taxpayer so that we can claim Gift Aid.
We will never request personal information about your health or the health of your family members or friends, unless we inform you how that information will be used and receive your explicit consent for such use (i.e. for a case study).
We may also collect your business details to enhance our careers and mentoring network and allow us to send emails and invitations that may be of interest to you.
We use third parties to collect data on our behalf to support our activities. This might include event registrations, setting up Direct Debits and processing your donations. We also, on occasion, ensure our records are as up to date as possible through running address and detail verification checks through sources that are deemed acceptable by the Information Commissioner’s Office (ICO). We may also receive information about you from other sources, which include publicly available data.
To increase our fundraising reach, we research information in the public domain, such as contact details for local organisations to get in touch with about our latest activities and appeals. We will not call any company or organisation registered with the Corporate Telephone Preference Service.
Please also see the privacy notice for current, prospective and past students, staff and parents.
4. Who has access to data
Access to personal data is restricted to those members of staff who have a requirement to maintain a relationship with you and is controlled through password protection and user security profiles. All School staff that are given access to personal data receive mandatory Data Protection training and have a duty to maintain confidentiality under the Data Protection Act. Access to special category data is restricted to key personnel and staff with such access receiving a higher level of training.
Personal data is processed by the School to:
- To provide you with information about our work or our activities that you have requested. This might include sending you Freemen’s Calling, our Alumni Magazine, invitations to events and mentoring opportunities.
- For administration purposes (e.g. we may contact you about a donation you have made or an event you have expressed an interest in or registered for).
- To ask you for your permission to use the story of your experience with the School in order to promote our work.
- To ask you to help us raise money or donate money to the School.
- To create an account for you if you register with us.
- For internal record keeping, including the management of any feedback or complaints.
- To use IP addresses to identify your approximate location, to block disruptive use, to record website traffic or to personalise the way our information is presented to you.
- To analyse and improve the services offered on our sites to make it as user-friendly as possible.
- Transfer for HM Revenue and Customs in respect of any Gift Aid claims.
- For statutory and regulatory compliance.
- To assess your personal information for the purposes of credit risk reduction or fraud prevention.
We may use your data for wealth-screening, research and profiling (see below for more information). Our purpose is to gain a better understanding of how we should engage with you, and tailor our communications more effectively and appropriately. This also helps us make informed decisions about our fundraising strategy and ensure our internal resources and investments are used as effectively as possible. Our objective is to ensure any approaches we make to you are respectful, professional and based on evidence that you might be interested in our work, in order to provide you with the best experience we can.
This is carried out by a trusted third-party supplier and entails using information such as your name, postcode and data on your existing relationship with us. Wealth-screening is a tool which helps us to better understand how to approach you about fundraising and volunteering opportunities in an appropriate way and therefore generate funds cost-effectively.
This could include research on financial, business, philanthropic and demographic information sources from publicly available data, such as Companies House, the Charity Commission and the media. We may also look at professional networks, such as LinkedIn, and process special category data if it has been made public by you (e.g. through an interview or a publicly directed social media post). In addition, we may combine the data you provide to us with data obtained from other sources (e.g. to verify we have correct addresses / postcodes).
This could include analysis of financial, philanthropic and other personal data we hold on you to assess the likelihood that you might wish to engage with us, as well as broader data analysis. This analysis helps us to gain a better understanding of how to approach you, or your interests, and of broader demographic, geographic and engagement trends amongst our supporters. This process is not solely automated processing and always contains manual assessment to ensure we are making correct assumptions from the analysis.
If you do not wish your data to be used in any of these ways or have questions about this, you have the choice to change your privacy options and can notify us using the contact details in the Introduction section. If you are unsure and have further queries on how we might use your data, please contact us and we will answer your questions. In order to comply with our legal obligations under the Charity Commission Regulations and the Fundraising Regulator’s Code of Practice, we may also undertake due diligence research to assess the source of funds for donations and to ensure that we are robustly considering ethical and reputational risks to our organisations.
7. With whom does the School share data
Personal data is never sold to third parties. In many circumstances we will not disclose personal data without consent. However, there may be occasions, such as pupils changing Schools, when we will need to share personal information with the organisation concerned and with other relevant bodies.
Occasionally the School will need to share personal information relating to its community with third parties, such as professional advisers (lawyers and accountants) or relevant authorities (HMRC, police or the City of London Corporation, the local authority).
Information about employees may also be disclosed where required by law, or in connection with legal proceedings, or for the prevention / detection of crime, or assessment / collection of tax.
The School may share personal data with third party organisations which carry out contracts on behalf of the School (such as Sodexo our Catering supplier). The School will only share personal data that is relevant and proportionate. All data processing activities are logged and reviewed from time to time. Should a safeguarding issue arise, personal data may be shared after consultation with the DSL (Designated Safeguarding Lead).
Finally, in accordance with Data Protection Law, some of the School’s processing activity is carried out on its behalf by third parties, such as IT systems, web developers or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the School’s specific directions.
8. How is your data stored?
Personal data is stored electronically in the School’s MIS, IT Systems, and, in some instances, in paper record. Paper records of special category data and higher category sensitive information are kept under lock and key.
Although most of the information we store and process stays within the UK, some information may be transferred to countries outside the European Economic Area (EEA). This may occur if, for example, one of our trusted partner’s servers are located in a country outside the EEA. These countries may not have similar data protection laws to the UK; however, we will take steps to ensure they provide an adequate level of protection in accordance with UK data protection law by the use of EU model contract clauses or, for organisations that we work with who process personal information in the USA, verification that their data processing standards meet the EU-US Privacy Shield. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.
9. How long will we keep your data?
The School will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Typically, the legal recommendation for how long to keep ordinary staff and pupil personnel files is up to seven years following departure from the School. However, incident reports and safeguarding files will need to be kept much longer, in accordance with specific legal requirements. Currently, the Independent Inquiry into Child Sexual Abuse is reviewing historic cases. The School has been advised to retain all records until the Inquiry has concluded and any recommendations on record retention have been made.
If you have any specific queries about how our retention policy is applied, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact the Bursar at [email protected]. However, please bear in mind that the School will often have lawful and necessary reasons to hold on to some personal data even following such request.
A limited and reasonable amount of information will be kept for archiving purposes, for example; and even where you have requested we no longer keep in touch with you, we will need to keep a record of the fact in order to fulfil your wishes (called a "suppression record").
The Freemen’s website uses Google Analytics tracking codes to measure performance enabling us to enhance and improve services for our audiences. However, we do not collect personally-identifiable information (PII) as all data collected is anonymous. If you do not want Google Analytics to use your data then please visit Google Analytics opt-out browser add-on.
12. Your rights
Individuals have various rights under Data Protection Law to access and understand personal data about them held by the School, and in some cases ask for it to be erased or amended or for the School to stop processing it, but subject to certain exemptions and limitations.
Any individual wishing to access or amend their personal data, or wishing it to be transferred to another person or organisation, should email their request to [email protected].
The School will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month (from May 2018) in the case of Subject Access Requests. The School will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, the School may ask you to reconsider or charge a proportionate fee, but only where Data Protection Law allows it.
You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal professional privilege. The School is also not required to disclose any pupil examination scripts (though examiners' comments may fall to be disclosed), nor any confidential reference given by the School for the purposes of the education, training or employment of any individual.
13. Data Accuracy and Security
The School will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must notify the School of any changes to information held about them (please contact [email protected].)
An individual has the right to request that any inaccurate or out-of-date information about them is erased or corrected (subject to certain exemptions and limitations under Act; please see above).
The School will take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to School systems. All Staff and Governors will be made aware of this policy and their duties under Data Protection Law and will receive relevant training.
14. Queries or Complaints
Any comments or queries on this policy should be directed to the School at [email protected].
If an individual believes that the School has not complied with this policy or acted otherwise than in accordance with Data Protection Law, they should utilise the School’s complaints procedure and should also notify the School at [email protected].
You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (www.ico.org.uk), although the ICO recommends that steps are taken to resolve the matter with the School before involving the regulator.