Privacy Policy
Data Protection and Privacy Policy
We are committed to protecting the privacy of anyone whose personal data we hold.
As an organisation, we have to comply with data protection legislation:
- UK General Data Protection Regulations (UK GDPR)
- UK Data Protection Act 2018
- other supporting data protection legislation such as the Privacy Electronic Communications Regulations (PECR)
We are obliged by data protection legislation to protect your personal information.
We have to make sure we process personal data in line with data protection principles and ensure that your rights as Individuals (Data Subjects) are met. These are outlined in our Data Protection (GDPR) policy.
Information Governance Framework
To help us show how we comply with data protection legislation, we have put an Information Governance Framework in place, which outlines our approach to data privacy.
Your rights under data protection legislation
We will follow current data protection and other legislative guidance when dealing with requests from Individuals (Data Subjects) to exercise their data rights.
The right to be informed
We will tell you what we are doing with your personal data, why we need to collect it, what we will do with it and who we will share it with.
We will give you this information in our Privacy Notices (see below).
Where we need to collect, process or share your personal information for any purpose not outlined on the Privacy Notices, we will provide separate information and obtain consent where necessary.
Read more about partner agencies and other organisations who we work with, including privacy notices for awarding/validating bodies, agencies and some other third parties.
The right to access
This is known as a Data Subject Access Request. Full details are available in the Data Protection (GDPR) policy file above.
If you wish to request information we hold about you, please complete a Data Subject Access form and email it for the attention of the Data Protection Officer.
Any request in writing or email from the Individual (Data Subject) will be considered as a valid request, as long as it contains the relevant information for us to deal with your request.
If you are not known to the relevant department or business area, we may ask to see proof of your identity. The following forms of identity will be accepted (please note, we will need to see the original):
- passport
- driving licence
- bank, building society or credit card statement in the Data Subject’s name for the last quarter
- council tax bill
Request information on behalf of someone else
If you are requesting information on behalf of someone else you must complete the Data Subject Access Request form. You will need to provide written evidence that you have the Data Subject’s authority to ask for the information on their behalf. For example, signature on the Data Subject Access form, a letter written by them, evidence of Power of Attorney.
- If your Data Subject Access Request is approved, you will be provided with either a printout or a photocopy of paper records.
- If you have requested information to be sent by email, we will only agree to this if it can be sent through an approved secure method.
- We will respond to your request within 30 days. If we are not able to approve your request for information or are not able to provide the information within 30 days, we will notify you. Proof of identity of the person or organisation making the request will be required.
Request information on behalf of an enforcing body
Requests for disclosure of personal information in connection with investigation of crime or any other enforcing body investigation should be made on a Police and Enforcing Bodies disclosure request form and emailed for the attention of the Data Protection Officer. ID will be requested and verified.
Charges
- Information will normally be provided free of charge.
- However there may be some circumstances when a charge can be made. For example, where the request is manifestly unfounded or excessive, we may charge a ‘reasonable fee’ for the administrative costs of complying with the request.
- We can also charge a reasonable fee if an Individual (Data Subject) requests further copies of their data following a request.
- We will follow guidance from the ICO to determine if a charge applies and advise you before collating the information.
The right to rectification
- For amendments to your personal information such as updating details we have collected from you for normal business processing. These could include contact details, change of address, emergency/next of kin, contact details, course details and medical details.
- Please contact the relevant department to tell them what is incorrect and ask for it to be corrected.
- For anything that is not considered routine business processing, please email the Data Protection Officer who will take steps to action your request.
- We will aim to deal with requests for rectification as soon as possible. We will respond within one month. This will be extended by two months where the request for rectification is complex.
The right to erasure/deletion
- Requests for the erasure (deletion) or removal of personal data, where there is no lawful basis for its continued processing, should be made to the relevant department.
- We have the right to refuse a request for erasure under certain circumstances – please refer to the Data Protection (GDPR) policy file above for further details.
- We will aim to deal with right to erasure requests within one month. Where we are unable to complete the request within this timescale, we will let you know.
Right to restriction
- Requests to restrict us from processing your personal data can be made, but there may be reasons why we may not be able to comply.
- If a request is determined to be valid, we will take steps to immediately restrict the processing of personal data as set out in our Data Protection (GDPR) policy.
Right to data portability
- Details on this are outlined in the Data Protection (GDPR) policy. Requests should be made to the relevant department.
- We will aim to respond within one month or within one month advise the individual if we need to extend the time frame by two months, where the request is complex, or a number of requests have been received.
Right to objection
- You may object to processing under certain circumstances, please refer to the Data Protection (GDPR) policy.
- Requests should be made to the relevant department.
- We will aim to deal with requests within one month and advise you if we cannot meet this timescale.
Rights in relation to profiling and automated decision-making
- Profiling and automated decision-making are two different things, although automated decision-making can include profiling.
- We will specify any profiling or automated decision-making in our Privacy Notices or other communication as necessary.
- Further information is in our Data Protection (GDPR) policy.
Reporting a concern
If you are unhappy with the way we have processed your personal information or feel that your request for information or to exercise your data rights have not been dealt with appropriately, please contact the Data Protection Officer in the first instance. Email dataprotectionofficer@camphill.ac.uk.
If you are unhappy with the outcome of your complaint, you can escalate your complaint to the Information Commissioner’s Office. Call 0303 123 1113 or visit the ICO Concerns website.
- Log and Usage Data. Log and usage data is service-related, diagnostic, usage and performance information our servers automatically collect when you access or use our website and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type and settings and information about your activity in the website (such as the date/time stamps associated with your usage, pages and files viewed, searches and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called 'crash dumps') and hardware settings).
- Device Data. We collect device data such as information about your computer, phone, tablet or other device you use to access the website. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model Internet service provider and/or mobile carrier, operating system and system configuration information.
- Location Data. We collect location data such as information about your device's location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the website. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. Note however, if you choose to opt out, you may not be able to use certain aspects of the Services.