The King’s School, Worcester – Privacy Notice
This Notice applies to The King’s School, Worcester (the Foundation) community, including prospective, current and past pupils and their parents/guardians; governors and volunteers; suppliers and contractors; donors, friends and supporters; and other individuals connected to or visiting the Foundation (including children enrolled on our holiday camps). It sets out when and how we use the Personal Data that you or others provide to us. We are committed to managing and safeguarding your personal information in accordance with current legislation and best practice. Your privacy is of the utmost importance to us.
Whenever you provide personal information, we will treat that information in accordance with this Privacy Notice. We want to make sure you fully understand the terms and conditions surrounding the capture and use of Personal Data. This notice describes what information we collect about you, how we use it, and the rights you have in relation to that collection and usage.
By ‘Personal Data’ we refer to information collected or held by the Foundation that identifies and relates to you as an individual, including ‘Special Category Personal Data’, which is data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and medical conditions.
Who we are
For the purpose of the Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulations (UK GDPR) and any other applicable data protection and privacy laws and regulations, the Foundation will be the ‘Data Controller’ of all personal information. This means we determine the means and purpose of processing and we have registered with the Information Commissioners Office (ICO) under registration number Z7022029.
The King’s School, Worcester is a private company limited by guarantee registered in England, No 4776324, and is registered with the Charity Commission under Charity No. 10983236. The Charity Commissioners for England and Wales have issued a uniting direction in respect of the Foundation and the unincorporated precursor charity that went by the same name (having the registered name of Worcester Cathedral Grammar School, Charity No. 527536) whereby single entity financial statements may be prepared. The registered office is 5 College Green, Worcester, WR1 2LL.
The Foundation operates one Senior School, known as King’s Worcester, and two Prep Schools known as King’s St Alban’s and King’s Hawford.
The Foundation also operates in conjunction with The King’s School Development Trust, King’s School Worcester Enterprises Ltd, and King’s School Activities Ltd. As Data Controller, the data we manage refers individually and collectively to these bodies.
What this Privacy Notice is for
This Privacy Notice is intended to provide information about how the Foundation will use, or “process”, personal data about individuals within the Foundation’s community (noted within the introduction).
This information is provided because Data Protection Law gives individuals rights to understand how their data is used. All are encouraged to read this Privacy Notice and understand the Foundation’s obligations.
This Privacy Notice applies alongside any other information the Foundation may provide about a particular use of personal data, for example when collecting data via an online or paper form.
This Privacy Notice also applies in addition to the Foundation’s other relevant terms and conditions and policies, including:
- any contract between the Foundation and the parents/guardians of pupils
- the Foundation’s Data Protection policy
- the Foundation’s CCTV policy
- the Foundation’s Disciplinary, Grievance and Capability policy
- the Foundation’s Health and Safety policy
- ISBA’s Guidelines on the Storage and Retention of Records and Documents
- the Foundation’s Safeguarding policy, which includes how concerns or incidents are recorded
- the Foundation’s IT policies, including its Acceptable Use Policy (AUP) – Staff & Pupil policies, Social Media policy, Remote Learning policy and Data Breach policy.
Please note that any contract you may have with the Foundation will be relevant to how we process your data, in accordance with any relevant rights or obligations under that contract.
This Notice also applies alongside any other information the Foundation may provide about particular uses of Personal Data, for example when collecting data via an online or paper form.
Anyone who works for, or acts on behalf of, the Foundation (including staff, volunteers, governors and service providers) will be subject to suitable training and/or policies commensurate with their role.
Responsibility for Data Protection
The Foundation’s Compliance Manager will deal with all your requests and enquiries concerning our use of your Personal Data (see section on Your Rights below) and endeavour to ensure that all Personal Data is processed in compliance with this policy and Data Protection Law. If you have any questions or queries regarding this, please email: email@example.com.
Why the Foundation needs to process Personal Data
In order to carry out its ordinary duties, the Foundation needs to process a wide range of personal data about individuals as part of its daily operation.
The Foundation will need to carry out some of this activity in order to fulfil its legal rights, duties or obligations – including those under a contract with its staff, or parents/guardians of its pupils.
We will process the Personal Data supplied to us to conduct and manage the Foundation to enable us to give you the best and most secure experience.
The following are what we consider to be our Legitimate Interests. These include:
- the selection and admission of pupils
- the provision of education to pupils, including the administration of the school curriculum and timetable, monitoring pupil progress and educational needs, reporting on the same internally and to parents/guardians, administration of pupil’s entries to public examinations, reporting upon and publishing the results, providing references for pupils and alumni
- the provision of educational support and related services to pupils (and parents/guardians) including the maintenance of discipline, provision of careers and library services, administration of sports fixtures and teams, provision of school trips, provision of School’s IT and communications systems and virtual learning environment
- safeguarding and promoting the welfare of pupils
- the purpose of good governance
- the provision of educational courses and co-curriculum during the school holidays including school trips, holiday camps, academies and pre-season training
- the recruitment of staff (including compliance with DBS procedures)
- reviewing and appraising staff performance
- conducting any grievance, capability or disciplinary procedures
- the maintenance of appropriate human resources records for current and former staff and for providing references
- keeping the Foundation buildings safe and secure
- the promotion of the Foundation through its own websites, the prospectus and other publications and communications including social media platforms
- maintaining relationships with the Old Vigornians and the wider Foundation community by communicating with the body of current and former pupils and/or their parents or guardians, current and former staff/volunteers, and organising events.
- carrying out or cooperating with any school or external complaints, disciplinary or investigation process
- where otherwise reasonably necessary for the School’s purposes, including to obtain appropriate professional advice and insurance for the School.
The Foundation also uses personal data to fulfil any Contractual Obligations that exist between us and yourself.
Where we request personal data be provided to enter into, or meet the terms of any such contract, you will be required to provide the relevant personal data or we will not be able to deliver the goods or services you want.
The Foundation is required to process some data in order to comply with the law. The lawful basis is our Legal Obligation. These include:
- To provide for our financial commitments, or to relevant financial authorities.
- To comply with regulatory requirements and any self-regulatory schemes.
- To carry out required business operations and due diligence.
- To cooperate with relevant authorities for reporting criminal activity, or to detect and prevent fraud.
- To investigate any insurance claims, claims of any kind of harassment or of discrimination, or any other claim whereby the organisation may have to defend itself.
- Compliance with legislation and regulation including the preparation of information for inspections by the Independent Schools Inspectorate, and the submission of annual census information to each of the Independent Schools Council and Department of Education.
- The safeguarding of pupils’ welfare and provision of pastoral care, welfare, health care services by school staff and other specialist professionals.
- To enable relevant authorities to monitor the School’s performance and to intervene or assist with incidents as appropriate.
- Operational management including the compilation of pupil records, the administration of invoices, fees and accounts, the management of the Foundation estate, the management of security and safety arrangements (including the use of CCTV in accordance with our CCTV policy and the monitoring of the Foundation’s IT and communication systems in accordance with our Acceptable Use Policy), management planning and forecasting, research and statistical analysis, the administration and implementation of the School Rules and policies for pupils and staff, the maintenance of historic archives and other operational purposes.
The Foundation may process Personal Data for the following purposes where it has received consent to do so:
- To inform you of goods and services provided by third-party organisations.
- To offer goods, services, or activities to children.
- To monitor people’s activities, either through online means or otherwise, to identify trends and/or behavioural patterns, or for profiling.
You may withdraw your consent for us to process your personal data for these purposes at any time; after a withdrawal of consent request is received, we may have to contact you to verify the request.
Withdrawing your consent for us to process your personal data will not affect the lawfulness of the processing beforehand.
In the UK only children aged 13 or over are able provide their own consent. When the Foundation is using consent as the lawful basis for processing for children aged under 13, we will obtain consent from the child’s parent/guardian – unless we are offering a safeguarding or counselling service.
Special Category Personal Data
In addition, the Foundation will on occasion need to process special category personal data. Special categories are:
- personal data revealing racial or ethnic origin
- personal data revealing political opinions
- personal data revealing religious or philosophical beliefs
- personal data revealing trade union membership
- genetic data
- biometric data (where used for identification purposes)
- data concerning health
- data concerning a person’s sex life
- data concerning a person’s sexual orientation.
The reasons for processing special category data will include:
- To safeguard pupils’ welfare and provide appropriate pastoral care, and where necessary medical care, and to take appropriate action in the event of an emergency, incident or accident
- To comply with public health requirements in respect of pandemic (or similar) testing
- To provide educational services in the context of any special educational needs of a pupil
- In connection with employment of its staff, for example DBS checks, welfare, union membership or pension plans, and in a pastoral, complaint or disciplinary context
- As part of any Foundation or external complaints, disciplinary or investigation process that involves such data, for example if there are SEND, health or safeguarding elements
- For legal and regulatory purposes (for example child protection, diversity monitoring, and health and safety compliance) and to comply with its legal obligations and duties of care.
- The Foundation has received explicit consent.
- It is necessary to protect the vital interests of the individuals where they are physically or legally incapable of giving consent.
- It is necessary for preventive or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or pursuant to contract with a health professional.
We endeavour at all times to keep your data accurate and secure, and to honour your data preferences with regard to receipt of postal communications, email, mobile messaging and telephone calls.
Types of Personal Data processed by the Foundation
To enable us to run our services adequately we will need to collect Personal Data from you when you engage with the Foundation informally or formally. We collect data when you send us information, talk to us over the phone, submit an application form or when you visit our website.
The types of Personal Data we may collect includes:
|Contractors and suppliers||
|Governors/Trustees and other volunteers||
How the Foundation collects data
For the most part, personal data collected by the Foundation will remain within the schools, and will be processed by appropriate individuals only in accordance with access protocols (i.e. on a ‘need to know’ basis). However, some functions are outsourced including cloud storage, records management, and monitoring. In accordance with Data Protection Law, this type of external data processing is always subject to contractual assurances that personal data will be kept securely and used only in accordance with the Foundation’s specific directions.
Occasionally, the Foundation, including its governing board, will need to share personal information relating to its community of staff, pupils and parents/guardians with third parties. Please be assured that we will not share your information for any reason unless we are required by law or permitted to do so under this Privacy Notice. The main circumstances in which we will be permitted or required to disclose this by law will be by court order, to government bodies such as HMRC, Department of Education and the Department for Work and Pensions, and law enforcement agencies. However, sometimes we may share your information with third parties in the following ways:
- Service providers such as examination boards, travel companies, banks, pension providers
- Local Children Safeguarding board, DBS, NCTL
- government authorities (e.g. HMRC, DfE, CAFCASS, police, Home Office, a relevant public health/NHS body and/or local authority) and/or appropriate regulatory bodies e.g. the Teaching Regulation Agency, the Independent Schools Inspectorate, the Charity Commission
- An insurance claim
- Sub-contractors and other persons who help us provide our services
- Our legal and other professional advisors, including our auditors
- Fraud prevention agencies, credit reference agencies, and debt collection agencies if appropriate as part of your account management
- The NHS
- In an emergency or to otherwise protect your vital interests
- To protect the security or integrity of our business operations
- To other parties connected with your account e.g. guarantors and other people named on the application including joint account holders who will see your transactions
- Where we restructure our business or its assets
- Payment systems e.g. credit cards to process transactions
- We may use carefully selected sub-processors to help us collect, store or manage your information. This will always be managed under the terms of a written data processing agreement
- Stage 3 complaints panels, which will include independent panel members
- Analytics and search engine providers that assist us in the improvement and optimisation of the website, school portal, management information systems, cloud storage provider, and social media platforms
- The King’s School, Worcester Development Trust
- Anyone else where we have your consent or where it is required by law
We do not otherwise share or sell personal data to other organisations for their own purposes.
Access to, and sharing of, sensitive data
Particularly strict rules of access apply in the context of “special category” data, most notably:
- medical records, and
- pastoral or safeguarding files.
The Foundation needs to process such information to comply with statutory duties and to keep pupils and others safe, but the Foundation will ensure only authorised staff can access information on a need-to-know basis. This may include wider dissemination if needed for school trips or for catering purposes. Express consent will be sought where appropriate.
However, a certain amount of any SEND pupil’s relevant information will need to be provided to staff more widely in the context of providing the necessary care and education that the pupil requires.
Staff, pupils and parents/guardians are reminded that the Foundation is under duties imposed by law and statutory guidance (including Keeping Children Safe in Education or ‘KCSIE’) to record or report incidents and concerns that arise or are reported to it, in some cases regardless of whether they are proven, if they meet a certain threshold of seriousness in their nature or regularity. This is likely to include file notes on personnel or safeguarding files, low-level concerns records kept about adults (which may include references to pupils or family members), and in some cases referrals to relevant authorities such as the LADO, Children’s Services, CAMHS or the police.
KCSIE also requires that, whenever a child leaves the Foundation to join another school or college, his or her child protection file is promptly provided to the new organisation, along with any other information which the School’s Designated Safeguarding Lead (DSL) considers material to the ongoing care needs of any pupil. Where appropriate, the Foundation will consult with parents/guardians as to how these needs are best served, but ultimately the decision as to what information is necessary to share with the new school or college is a safeguarding question that must be reserved to the School’s DSL. The School will retain a copy of the child protection file in accordance with its retention policy for material related to safeguarding matters.
For further information about this, please view the Foundation’s Safeguarding Policy.
How long we keep Personal Data
The Foundation will keep your personal data only for as long as required to achieve the purposes for which it was collected, in line with this privacy notice.
The following criteria are used to determine the period for which we will keep your personal data:
- Until we are no longer required to do so to comply with regulatory requirements or financial obligations.
- Until we are no longer required to do so by any law we are subject to.
- Until all purposes for which the data was originally gathered have become irrelevant or obsolete.
- Until the goods and/or services we have provided are no longer in active use.
We operate Records Retention Guidelines, which set out the time period for different categories of data to be kept.
If you have any specific queries about how our retention policy is applied, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact our Compliance Manager via email at: firstname.lastname@example.org. However, please bear in mind that the Foundation will often have lawful and necessary reasons to hold on to some personal data even following such a request.
A limited and reasonable amount of information will be kept for archiving purposes, for example, and even where you have requested we no longer keep in touch with you, we will need to keep a record of the fact in order to fulfil your wishes (called a “suppression record”).
Keeping in touch and supporting the Foundation
The Foundation, and/or any relevant other organisation, e.g. Alumni and Business Development Office (ABDO), will use the contact details of parents/guardians, alumni and other members of the Foundation community to keep them updated about the activities of the Schools, or alumni and parent/guardian events of interest, including by sending updates and newsletters, by email and by post. Unless the relevant individual objects, the Foundation will also:
- Share personal data about parents/guardians and/or alumni, as appropriate, with organisations set up to help establish and maintain relationships with the Foundation community, such as the Old Vigornians and the KSW Parents’ Association
- Contact parents/guardians and/or alumni (including via the organisations above) by post and email in order to promote and raise funds for the School
Fundraising helps us to achieve our strategic objective of improving access and the opportunities for our pupils. We fundraise from individuals, companies and foundations who want to support our charitable purposes. We keep in touch with the Old Vigornians, current or former parents/guardians and other members of the Foundation community.
You always have the right to withdraw consent, where given, or otherwise object to direct marketing or fundraising. However, the Foundation is nonetheless likely to retain some of your details (not least to ensure that no more communications are sent to that particular address, email or telephone number). You can update your data preferences at any time to ensure that our communications are relevant to you by contacting the ABDO at email@example.com.
You have rights in relation to any Personal Data that we hold about you. If you wish to access your Personal Data you may make a formal Subject Access Request by contacting the Foundation Compliance Manager via email at: firstname.lastname@example.org.
The information you request must relate to you (or another person that you have authority to act on their behalf). The Foundation will require a confirmation of your ID prior to providing any information about the data we hold. If you are unable to provide sufficient information to prove your ID, the Foundation reserves the right to refuse your request for access to Personal Data. The rights you have in relation to the Personal Data we hold regarding you are:
- The right to be informed about our processing of your personal data
- The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed
- The right to object to processing of your personal data, on grounds relating to your particular situation, to any of our particular processing activities where you feel this has a disproportionate impact on your rights
- The right to restrict processing of your personal data (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal)
- The right to (in certain circumstances) have your personal data erased (the ‘right to be forgotten’)
- The right to request access to your personal data and information about how we process it
- The right to move, copy or transfer your personal data (‘data portability’) in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller
- Rights in relation to automated decision making including profiling. (The Foundation does not currently carry out any automated decision making or profiling).
If you have provided us with consent to process your information, you always reserve the right to withdraw this consent via the method detailed in the paragraph below. We are committed to ensuring that your wishes are respected and upon notification that you wish to withdraw your consent, the Foundation will immediately cease processing the information in question.
Please be aware that the Foundation may have another lawful reason to process the personal data in question even without your consent. That reason will usually have been stated under this Privacy Notice, or may exist under some form of contract or agreement with the individual e.g. employment or parent contract or membership of the Old Vigornians.
We try to respond to all legitimate requests within one month.
You should be aware that GDPR rights (including the right of access) are limited to your own Personal Data, and certain data is exempt.
You may have heard of the “right to be forgotten”. However, we will sometimes have compelling reasons to refuse specific requests to amend, delete or stop processing your (or your child’s) Personal Data: for example, a legal requirement, or where it falls within a proportionate legitimate interest identified in this Privacy Notice. Generally, if we still consider the processing of the Personal Data to be reasonably necessary, we are entitled to continue. All such requests will be considered on their own merits.
The rights under Data Protection Law belong to the individual to whom the data relates. However, the Foundation will often rely on parental authority or notice for the necessary ways it processes personal data relating to pupils – for example, under the parent contract, or via a form. Parents/guardians and pupils should be aware that this is not necessarily the same as the Foundation relying on strict consent.
Where consent is required, it may in some cases be necessary or appropriate – given the nature of the processing in question, and the pupil’s age and understanding – to seek the pupil’s consent, either alongside or in place of parental consent. Parents/guardians should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents’ rights at law or under their contract, and all the circumstances.
In general, we will assume that pupils’ consent is not required for ordinary disclosure of their personal data to their parents/guardians, e.g. for the purposes of keeping parents/guardians informed about the pupil’s activities, progress and behaviour, and in the interests of the pupil’s welfare. That is unless, in the Foundation’s opinion, there is a good reason to do otherwise.
However, where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents/guardians, we may be under an obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise; for example where the Foundation believes disclosure will be in the best interests of the pupil or other pupils, or if required by law.
Pupils are required to respect the personal data and privacy of others, and to comply with the Foundation’s Pupil Acceptable Use policy and the School Rules. Staff are under professional duties to do the same covered under the relevant staff policy.
Data accuracy and security
The Foundation will endeavour to ensure that all Personal Data held in relation to an individual is as up to date and accurate as possible. Individuals must please notify the relevant school of any significant changes to important information, such as contact details, held about them.
An individual has the right to request that any out-of-date, irrelevant or inaccurate information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law): please see above for details of why we may need to process your data, of who you may contact if you disagree.
We will take appropriate technical and organisational steps to ensure the security of Personal Data about individuals, including policies around use of technology and devices, and access to school systems. All staff and governors will be made aware of this policy and their duties under Data Protection Law and receive relevant training.
The Foundation will not transfer your personal data to any country other than those that have been granted an adequacy decision under the General Data Protection Regulation. We may however share your personal data with third-party organisations who then transfer the data. We shall take all reasonable measures to ensure those third parties are also compliant with data protection law.
You should be aware that providing information over the internet can never be guaranteed as being completely safe, and if you choose to send such information to us via the internet, you do so at your own risk.
We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach in accordance with our statutory obligations.
We may change this Privacy Notice at any time to ensure it always accurately reflects the way we collect, use and safeguard your Personal Information. Any substantial changes will be notified on our website, and to you directly as far as practicable.
This Privacy Notice should be read in conjunction with our other policies and terms and conditions, which refer to personal data including:
- Parent Contract
- Safeguarding Policy
- Health and Safety Policy
- Acceptable Use Policy.
Queries and complaints
Any comments or queries on this policy should be directed to the Compliance Manager via email on email@example.com.
If an individual believes that the Foundation has not complied with this policy or acted otherwise than in accordance with Data Protection Law, they should utilise the Foundation Complaints procedure and notify the Compliance Manager. You can also make a referral to, or lodge a complaint with, the Information Commissioner’s Office (ICO), the data protection supervisory authority for England and Wales https://ico.org.uk/concerns, although the ICO recommends that steps are taken to resolve the matter with us before involving them.
Data Protection Officer
Staverton Technology Park
22 September 2023