Review Date: September 2023
Next Review Date: September 2024
Signed: Changing Education Group
Changing Education respects the privacy of every individual who visits our website, uses our app ConnectED – Careers Manager, contacts us and works with us. We are committed to safeguarding your privacy and have written the following privacy notice to explain what information we collect, and what we do with it. accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy applies to all personal data, regardless of whether it is in paper or electronic format related to pupils, parents, visitors, suppliers and others. For information related to former and current staff, or if you have applied for a role with Changing Education Group, then please request a copy of our Data Protection Policy which is available from the Data Officer, Stephen Hackney. Contact details are at the end of this notice. This policy is reviewed annually, or where legislation and laws change.
2. Who is the Data Controller?
If you visit our website, use our app ConnectED – Careers Manager or are a former or current member of staff, or our one of suppliers, then the Data Controller is Changing Education Limited, of The Cheshire College South & West, Dane Bank Avenue, Crewe, Cheshire, Crewe CW2 8AB (Company number 06677456).
Our registration reference with the Information Commissioner’s Office (ICO) is ZA091427.
Changing Education Limited operates in accordance with the principles of the Data Protection Act 2018 and the UK General Data Protection Regulations.
If you are an app user, then we are a Data Processor. If you have a concern or a query on how your data is managed, we would ask that in the first instance, you contact the educational provider that engaged us.
If you are a student, then we are a Data Processor. If you have a concern or a query on how your data is managed, we would ask that in the first instance, you contact the educational provider that engaged us.
|Personal data||Any information relating to an identified, or identifiable individual.
This may include the individual’s:
● Name (including initials)
It may also include factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
|Special categories of personal data||Personal data which is more sensitive and so needs more protection, including information about an individual’s:
● Racial or ethnic origin
|Processing||Anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing or destroying.
Processing can be automated or manual.
|Data subject||The identified or identifiable individual whose personal data is held or processed.|
|Data controller||A person or organisation that determines the purposes and the means of processing of personal data.|
|Data processor||A person or other body, other than an employee of the data controller, who processes personal data on behalf of the data controller.|
|Personal data breach||A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.|
4. How do we obtain your personal data?
We may obtain your personal data in a variety of ways, including:
• From inbound enquiries to email@example.com or firstname.lastname@example.org, and other email inboxes such as individual email accounts of Changing Education employees
• From inbound phone calls where we see the incoming phone number and you pass us information verbally
• From data you supply while we are working together during commissioned projects, or during new business activities and the act of commissioning new work
• From networking activities and events, for example exchanging business cards or connecting on LinkedIn.
• From recommendations or references about you from others
• From recruitment activities, including inbound CV submissions and employee onboarding
• From your registration onto our software systems
• From website analytics
• From you signing up to our mailing list via our website or social media pages
• From contact from and conversations with our suppliers
• From data you enter into our app platform
Any information you give us should be accurate, and if you are supplying anyone else’s data, you must ensure that you have the authority and legal basis to do so.
5. What personal data is processed?
If you are a student then we will process the following information:
• Contact details (name, address, email address and phone number),
• academic performance data,
• and in a small number of instances, some medical information to ensure that you receive the right support in your placement environment.
If you have any queries, then please contact your education provider.
Depending on your relationship and activity with Changing Education, we may process different types of information about you, including but not limited too:
• Email address
• Phone number
• Job title
• Business name and address
• IP addresses
• Social media usernames/handles
• Browser information
• Bank account information
6. Who is my information shared with?
Your personal data will not be sold or disclosed to anyone outside of Changing Education or Changing Education’s appointed suppliers, without obtaining your prior consent – unless we are required to do so by law.
For our general day to day data processing activities, we use third party organisations (also called sub processors) to help us administer and monitor the services we provide:
• for the provision of software services to enable the management of our customers, staff and office administration
• for payroll and financial accounting
• to share newsletters, promotional detail, industry news or other information that maybe of interest to you
• to help us improve our services
• for the administration of our website and customer interactions
• for any legal guidance in the provision of our services
For full details of the third party suppliers we use, please contact us at the address below.
7. How is your personal information used?
The personal data you give us may be used in a variety of ways:
• Communicating with you as a customer, about new or currently commissioned projects
• Responding to recruitment enquiries and progressing the recruitment process, storing your details for future reference if new positions become available
• Performing accounts tasks, such as raising and sending invoices
• Storing in databases for reference by appropriate Changing Education employees and our suppliers
• Retention of your personal information for as long as this is required to meet our legal obligations.
• Interacting with our app to enhance your user experience.
We will only keep your personal data for as long as it is relevant to the purpose for which it was collected or for as long as we are required to keep it by law. We have a retention policy and process in place. If you would like a copy of this, then please contact our Data Officer at the address below.
8. What is our legal basis for processing your data?
Depending on your relationship and activity with Changing Education, our legal basis for processing your personal data may be different.
In the case of signing up to our mailing list, we rely on your consent given at the time of sign- up, and you should consult the privacy notices and messages on those forms.
In the case of employees or customers of Changing Education, the processing is necessary for the performance of a contract between yourself and Changing Education.
For other activities, such as storing CV’s sent to us as part of recruitment, processing is necessary for the purposes of legitimate interests of Changing Education.
We have a comprehensive retention process for each type of data that we store and how long we store this information. Please get in contact if you require further information.
9. Sharing Personal Data
We will not normally share personal data with anyone else, but may do so where:
● There is an issue with a pupil or parent/carer that puts the safety of our staff at risk
● We need to liaise with other agencies – we will seek consent as necessary before doing this
● Our suppliers or contractors need data to enable us to provide services to our staff and pupils – for example, IT companies. When doing this, we will:
o Only appoint suppliers or contractors which can provide sufficient guarantees that they comply with data protection law
o Establish a data sharing agreement with the supplier or contractor, either in the contract or as a standalone agreement, to ensure the fair and lawful processing of any personal data we share
o Only share data that the supplier or contractor needs to carry out their service, and information necessary to keep them safe while working with us
We will also share personal data with law enforcement and government bodies where we are legally required to do so, including for:
● The prevention or detection of crime and/or fraud
● The apprehension or prosecution of offenders
● The assessment or collection of tax owed to HMRC
● In connection with legal proceedings
● Where the disclosure is required to satisfy our safeguarding obligations
● Research and statistical purposes, as long as personal data is sufficiently anonymised or consent has been provided
We may also share personal data with emergency services and local authorities to help them to respond to an emergency situation that affects any of our pupils or staff. Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.
10. Children and subject access requests
Personal data about a child belongs to that child, and not the child’s parents or carers. For a parent or carer to make a subject access request with respect to their child, the child must either be unable to understand their rights and the implications of a subject access request or have given their consent.
Children aged 13 and above are generally regarded to be mature enough to understand their rights and the implications of a subject access request. Therefore, most subject access requests from parents or carers of pupils from our service may not be granted without the express permission of the pupil. This is not a rule and a pupil’s ability to understand their rights will always be judged on a case-by-case basis.
Please note, Changing Education are a Data Processor of this information. The education provider is the Data Controller. If you have any concerns or queries on the data that is passed to Changing Education in order that we can provide a service, please contact the education provider. We are unable to respond to any requests from a child, their parent or carer.
For more information on the role of Data Controllers and Data Processors, then please see the additional guidance on the Information Commissioners website here.
11. Your rights
You have the right to request access to the personal data that we hold about you – this is known as a Subject Access Request (SAR). If you wish to make a SAR about the personal data we hold about you, please email email@example.com. We will normally respond within 30 days to provide you with the data we hold about you in a commonly-used electronic format. There is no charge for this service, however, if requests become manifestly unfounded, excessive or repetitive, we may charge a fee appropriate to the administrative work required. This time can be extended by two months if the request is complex.
You have the right to request rectification of your personal data. To do so, please email firstname.lastname@example.org. We will respond within 30 days, although can be extended by two months if the request for rectification is complex. If Changing Education decides not to act in response to a request for rectification, we will explain to you our reasons.
You have the right to the deletion or removal of your personal data where there is no compelling reason for its continued processing. To request deletion of your personal data, please email email@example.com. We may refuse to comply with a request for erasure in some circumstances, for example in the case of requiring the information as part of a legal obligation, such as our statutory accounts and records.
You have the right to suppress or restrict the processing of your personal data. To request this, please email firstname.lastname@example.org .
You have the right to data portability, which allows you to obtain and reuse your personal data for your own purposes across different services. To request this, please email email@example.com. We will respond within 30 days to provide you with the data we hold about you in a commonly-used electronic format. This time can be extended by two months if the request is complex.
You have the right to object to:
• processing based on legitimate interests
• direct marketing
• processing for purposes of scientific/historical research and statistics.
To make an objection to processing, please email firstname.lastname@example.org.
12. How we protect your information
We take a range of organisational and technical measures to protect your information. We maintain strict physical, electronic and administrative safeguards to protect your personal data from unauthorised or inappropriate access. We also will conduct refresher training and have robust policies and procedures in place to ensure that we meet our legal obligations.
Where appropriate we use industry-standard encryption techniques, including encrypting web traffic using HTTPS. Regular security reviews are held by Changing Education and in consultation with our software developers to ensure that our systems and processes remain safe and secure for the protection of your personal data. We have invested in the use of world leading technologies who themselves have invested in ensuring that their systems and the protection of Client data is a top priority.
Where you have registered onto our software systems with a self-chosen password, we ask you not to use that same password on any other systems. You are responsible for the security of your own passwords. We recommend following the guidance on passwords from the National Cyber Security Centre which can be found here.
13. Is any of my data sent outside of the EU?
Yes. Wherever possible we select data centres in the EU, however some data is stored in the US, and we have listed these suppliers below.
We select suppliers carefully and in many cases Model Contracts exist between Changing Education and those suppliers in order to ensure the suppliers meet the standards required to protect your personal data.
|Third Country (non EU / non EEA
|Purpose of processing||Safeguards in place and further information|
|Information is transferred to the US using standard contractual clauses : Privacy Notice (Business)|
|Postmark||Student -> workplace -> college / school emails||Information is potentially transferred to the US using Standard Contractual clauses :
Data Processing Agreement
|Sage||Accountancy, invoicing etc||Information is transferred to the US using model clause agreements :
Sage Privacy Notice
|DocuSign||Contract Signature tools||Information is potentially transferred to the US using Binding Corporate Rules.: Docusign Privacy details|
A cookie is a small amount of data, which often includes a unique identifier that is sent to your computer or mobile phone browser from a website’s server and is stored on your device. Each website can send its own cookie to your browser if your browser’s preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other websites. Many websites do this whenever a user visits their website to track online traffic flows.
As a visitor, you can edit your browser settings to accept all cookies, to notify them when a cookie is issued, or not to receive cookies at any time. The last of these means that the website might not work properly. Each browser is different, so check the Help menu of your browser to find out how to change your cookie preferences.
14.1 Third Party Cookies
During your visit, you may notice some cookies that are not related to this site. When you visit a page with content embedded from, for example, YouTube or Flickr, you may be presented with cookies from these websites. We do not control the dissemination of these cookies. You should check the third-party websites for more information about these.
14.2 How to control and delete cookies
Alternatively, you may wish to visit www.aboutcookies.org which contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your computer as well as more general information about cookies. For information on how to do this in the browser of your mobile phone you will need to refer to your handset manual.
Please be aware that restricting cookies may impact on the functionality of this website.
The cookies we use
• _ga, _gid
• Google Analytics
This is a service used to monitor traffic on the site and its pages. Google stores the information collected by the cookie on servers in the United States. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google
Find out how to manage cookies on popular browsers:
• Google Chrome
• Mozilla Firefox
• Microsoft Internet Explorer
• Apple Safari
To find information relating to other browsers, visit the browser developer’s website.
To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.
15. Links to Other Websites
Our website and other communications may contain links to other third-party websites. You should be aware that we do not have any control over other these third-party websites, and therefore we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites. Such sites are not governed by this privacy notice.
You should exercise caution and look at the privacy notice applicable to the website in question.
From time to time we may perform limited marketing for which we have a legitimate interest to do so. We source email details from Sprint Education who are the Data Controller.
If you wish to unsubscribe from any of our newsletters then please either click the button at the bottom of any newsletters that are issued, or drop us a line at the details provided below. If you wish to ensure that you no longer receive any emails from us or other companies then please contact Sprint Education at https://sprint- education.co.uk/about/contact
We have appointed a Data Officer. Our Data Officer is Stephen Hackney and is contactable via 01625 827309 or at the details below.
For any questions about this Privacy Notice, or Changing Education’s approach to data protection, please contact us:
Address: The Cheshire College, Dane Bank Avenue, Crewe, Cheshire, Crewe CW2 8AB
If we are unable to satisfy any complaint or query that you may have, or if you are still concerned, you can contact the Information Commissioners Office at www.ico.org.uk