Privacy Policy

Last updated April 19th 2023
 

Data Protection and Privacy Policy

We are committed to protecting the privacy of anyone whose personal data we hold.

As an organisation, we have to comply with data protection legislation:

We are obliged by data protection legislation to protect your personal information.

We have to make sure we process personal data in line with data protection principles and ensure that your rights as Individuals (Data Subjects) are met. These are outlined in our Data Protection (GDPR) policy.

Information Governance Framework

To help us show how we comply with data protection legislation, we have put an Information Governance Framework in place, which outlines our approach to data privacy.

Your rights under data protection legislation

We will follow current data protection and other legislative guidance when dealing with requests from Individuals (Data Subjects) to exercise their data rights.

The right to be informed

We will tell you what we are doing with your personal data, why we need to collect it, what we will do with it and who we will share it with.

We will give you this information in our Privacy Notices (see below).

Where we need to collect, process or share your personal information for any purpose not outlined on the Privacy Notices, we will provide separate information and obtain consent where necessary.

Read more about partner agencies and other organisations who we work with, including privacy notices for awarding/validating bodies, agencies and some other third parties.

The right to access

This is known as a Data Subject Access Request. Full details are available in the Data Protection (GDPR) policy file above.

If you wish to request information we hold about you, please complete a Data Subject Access form and email it for the attention of the Data Protection Officer.

Any request in writing or email from the Individual (Data Subject) will be considered as a valid request, as long as it contains the relevant information for us to deal with your request.

If you are not known to the relevant department or business area, we may ask to see proof of your identity. The following forms of identity will be accepted (please note, we will need to see the original): 

  • passport
  • driving licence
  • bank, building society or credit card statement in the Data Subject’s name for the last quarter
  • council tax bill

Request information on behalf of someone else

If you are requesting information on behalf of someone else you must complete the Data Subject Access Request form. You will need to provide written evidence that you have the Data Subject’s authority to ask for the information on their behalf. For example, signature on the Data Subject Access form, a letter written by them, evidence of Power of Attorney.

  • If your Data Subject Access Request is approved, you will be provided with either a printout or a photocopy of paper records.
  • If you have requested information to be sent by email, we will only agree to this if it can be sent through an approved secure method.
  • We will respond to your request within 30 days. If we are not able to approve your request for information or are not able to provide the information within 30 days, we will notify you. Proof of identity of the person or organisation making the request will be required.

Request information on behalf of an enforcing body

Requests for disclosure of personal information in connection with investigation of crime or any other enforcing body investigation should be made on a Police and Enforcing Bodies disclosure request form and emailed for the attention of the Data Protection Officer. ID will be requested and verified.

Charges

  • Information will normally be provided free of charge.
  • However there may be some circumstances when a charge can be made. For example, where the request is manifestly unfounded or excessive, we may charge a ‘reasonable fee’ for the administrative costs of complying with the request.
  • We can also charge a reasonable fee if an Individual (Data Subject) requests further copies of their data following a request.
  • We will follow guidance from the ICO to determine if a charge applies and advise you before collating the information.

The right to rectification

  • For amendments to your personal information such as updating details we have collected from you for normal business processing. These could include contact details, change of address, emergency/next of kin, contact details, course details and medical details.
  • Please contact the relevant department to tell them what is incorrect and ask for it to be corrected.
  • For anything that is not considered routine business processing, please email the Data Protection Officer who will take steps to action your request.
  • We will aim to deal with requests for rectification as soon as possible. We will respond within one month. This will be extended by two months where the request for rectification is complex.

The right to erasure/deletion

  • Requests for the erasure (deletion) or removal of personal data, where there is no lawful basis for its continued processing, should be made to the relevant department.
  • We have the right to refuse a request for erasure under certain circumstances – please refer to the Data Protection (GDPR) policy file above for further details.
  • We will aim to deal with right to erasure requests within one month. Where we are unable to complete the request within this timescale, we will let you know.

Right to restriction

  • Requests to restrict us from processing your personal data can be made, but there may be reasons why we may not be able to comply.
  • If a request is determined to be valid, we will take steps to immediately restrict the processing of personal data as set out in our Data Protection (GDPR) policy.

Right to data portability

  • Details on this are outlined in the Data Protection (GDPR) policy. Requests should be made to the relevant department.
  • We will aim to respond within one month or within one month advise the individual if we need to extend the time frame by two months, where the request is complex, or a number of requests have been received.

Right to objection

  • You may object to processing under certain circumstances, please refer to the Data Protection (GDPR) policy.
  • Requests should be made to the relevant department.
  • We will aim to deal with requests within one month and advise you if we cannot meet this timescale.

Rights in relation to profiling and automated decision-making

  • Profiling and automated decision-making are two different things, although automated decision-making can include profiling.
  • We will specify any profiling or automated decision-making in our Privacy Notices or other communication as necessary.
  • Further information is in our Data Protection (GDPR) policy.

Reporting a concern

If you are unhappy with the way we have processed your personal information or feel that your request for information or to exercise your data rights have not been dealt with appropriately, please contact the Data Protection Officer in the first instance. Email dataprotectionofficer@camphill.ac.uk

If you are unhappy with the outcome of your complaint, you can escalate your complaint to the Information Commissioner’s Office. Call 0303 123 1113 or visit the ICO Concerns website.

 




Personal information you disclose to us 

We collect personal information that you voluntarily provide to us


The personal information that we collect depends on the context of your interactions with us and the website, the choices you make and the products and features you use. The personal information we collect may include the following:



Personal Information Provided by You. 

We collect names; phone numbers; email addresses; and other similar information.

All personal information that you provide to us must be true, complete and accurate, and you must notify us of any changes to such personal information.

 

Information automatically collected


In short:  Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our website



We automatically collect certain information when you visit, use or navigate the website. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our website and other technical information. This information is primarily needed to maintain the security and operation of our website, and for our internal analytics and reporting purposes.

Like many businesses, we also collect information through cookies and similar technologies.

The information we collect includes:


  • Log and Usage Data. Log and usage data is service-related, diagnostic, usage and performance information our servers automatically collect when you access or use our website and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type and settings and information about your activity in the website (such as the date/time stamps associated with your usage, pages and files viewed, searches and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called 'crash dumps') and hardware settings).

  • Device Data. We collect device data such as information about your computer, phone, tablet or other device you use to access the website. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model Internet service provider and/or mobile carrier, operating system and system configuration information.

  • Location Data. We collect location data such as information about your device's location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the website. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. Note however, if you choose to opt out, you may not be able to use certain aspects of the Services.


In short:  We process your information for purposes based on legitimate business interests, the fulfillment of our contract with you, compliance with our legal obligations, and/or your consent.












In short:  We only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfill business obligations.

In short:  We may use cookies and other tracking technologies to collect and store your information.

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice.

In short:  We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law.


 

In short:  We aim to protect your personal information through a system of organizational and technical security measures.

 

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security, and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our website is at your own risk. You should only access the website within a secure environment.