Customer Privacy Notice
How We Use Your Information
INTRODUCTION
This Privacy Notice (Notice) is to help you understand how and why we collect personal information about you and what we do with that information. It also explains the decisions that you can make about your own information.
In this context ‘we’, ‘Clifton College’ or the ‘College’ shall mean Clifton College and its subsidiary undertakings. Where applicable, it may also include Clifton College Development Trust and/or the College’s alumni association (the Old Cliftonian Society) and Clifton College Services Limited.
WHAT IS "PERSONAL INFORMATION"?
Personal information is information that identifies you and relates to you. This includes your names, contact details and financial information. We hold other information about our customers depending on which of our services they access. For example, we hold medical information about our gym users and children studying with us as part of our Holiday Club, Summer Language School and Easter Revision Course programmes.
WHY DOES THE COLLEGE USE YOUR PERSONAL INFORMATION?
Our primary reason for using your personal information is to enable you to access our services.
You have the following rights regarding your information:
● Rectification of information held;
● Access to information held;
● Deletion of information in certain circumstances;
● Portability – the transfer of information to you or a third party;
● Restriction of use of information; and
● The right to object to the use of information in certain circumstances.
The Director of Corporate Services is the person responsible at our College for managing how we look after personal information. The Director of Corporate Services is supported by the Data Protection Adviser (‘DPA’). The Director of Corporate Services or the DPA can answer any questions which you may have about how we use your personal information.
OUR LEGAL BASES FOR USING YOUR INFORMATION
This section contains information about the legal bases that we are relying on when handling your information.
The two tables below contain a general description of the different legal bases but we have also used a colour code system so that you can see which bases we are relying on for each of the purposes described at paragraphs below.
Necessary for contract (“CT”)
We will need to use your information in order to perform our obligations under our contract with you and for you to perform your obligations as well. For example, we need your name and financial details so that we can process your payment for our services.
Legitimate interests (“LI”)
This means that we are using your information when this is necessary for our legitimate interests except when your interests and fundamental rights override our legitimate interests.
Specifically, have a legitimate interest in:
● Safeguarding and promoting the welfare of you, other customers and our employees;
● facilitating the efficient operations;
● keeping the buildings safe;
● protecting our reputation;
● promoting our objects and interests. This includes using photographs of you at our events and facilities in promotional material. It also includes making sure that we are able to enforce our rights against you, for example, so that we can contact you if unpaid bills are due;
● using your information in connection with legal disputes. For example, if you bring a claim against us; and
● ensuring that all relevant legal obligations are complied with.
● In addition your personal information may be processed for the legitimate interests of others.
Legal obligation (“LO”)
● Where we need to use your information in order to comply with a legal obligation. We may also have to disclose your information to third parties such as the courts, the local authority or the police where legally obliged to do so.
● We must also comply with an additional condition where it processes special categories of personal information. These special categories are as follows: personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic information, biometric information, health information, and information about sex life or orientation.
Vital interests (“VI”)
In limited circumstances we may use your information to protect your vital interests or the vital interests of someone else (e.g. if you or they are seriously hurt).
Medical purposes (“MP”)
This includes medical treatment and the management of healthcare services.
Legal claims (“LC”)
We are allowed to use your information if this is necessary in relation to legal claims. For example, this allows us to share information with our legal advisors and insurers.
HOW AND WHY DO WE COLLECT AND USE YOUR PERSONAL INFORMATION?
We set out below examples of the different ways in which we use personal information and where this personal information comes from. The letters highlighted in different colours below refer to the legal bases we are relying on. Please see the section above for an explanation.
1. Our primary reason for using your personal information is to enable you to access our services. – LI, CT.
2. We will have information about any medical conditions or dietary requirements which might affect your ability to access events or facilities. This is to help us provide appropriate care and support to you – LI, CT, MP.
3. We use CCTV to make sure the College site is safe. Images captured of you via CCTV will be your personal information. CCTV is not used in private areas such as toilets –LI, CT.
4. We will send you information to keep you up to date with what is happening. For example, by sending you information about events and activities taking place – LI.
5. We may take photographs or videos of you at events to use on social media and on the website. This is to show prospective customers what we do here and to advertise. We may continue to use these photographs and videos after you are no longer a customer – LI.
6. If there is a complaint or grievance made which involves you then we will use your information in connection with that complaint or grievance – LI.
7. Where necessary to ensure your access to facilities and services, we will share your personal information with other members of the Clifton College family, which includes Clifton College Services Limited, Clifton College International Limited, the Old Cliftonian Society, Clifton College Development Trust and Clifton College Endowment Fund. For example, we will share information about dietary requirements with Clifton College to ensure that those being catered for whilst accessing our services are served appropriate food – LI.
1. We may use your information when ensuring network and information security, for example, our anti-virus software might scan files containing information about you – LI.
2. We can keep information about you for a very long time or even indefinitely if we need this for historical, research or statistical purposes. For example, if we consider the information might be useful if someone wanted to write a book about the College – LI
Financial information
1. We will process financial information about you in relation to the payment of bills –LI, CT.
Sharing personal information with third parties
1. We will share information with third parties where this is in accordance with our legal obligations – LI, LO.
2. We may need to share information about you with the Health and Safety Executive (a government organisation) if there is a health and safety issue at the College – LI, LO.
3. Occasionally we may use consultants, experts and other advisors to assist in fulfilling our obligations and to help run properly (e.g. our accountants). We will share your information with them if this is relevant to their work – LI, CT.
4. In certain circumstances, we may also need to share information with our legal advisers for the purpose of obtaining legal advice – LI, LO, LC.
5. We may need to share information if there is an emergency, for example, if you are hurt whilst on College premises – LI, VI.
6. We may share information about you with our insurance company, for example, where there is a serious incident at the College – LI, LC.
7. On occasion, we may need to share your information with the police for the prevention and investigation of crime and the prosecution of offenders. We will only do this in specific circumstances to assist the police with their investigations – LI, CT, LO.
We sometimes use contractors to handle personal information on our behalf. The
following are examples:
● IT consultants who might access information about you when checking the security of our IT network; and
● we use third-party “cloud computing” services to store some information rather than the information being stored on hard drives located on the College site.
MORE THAN ONE BASIS
As you will see from this notice, in some cases we will rely on more than one basis above for a particular use of your information. In addition, we may move from one of the legal bases listed above to another as circumstances change.
CONSENT
We will contact you with marketing material by email, telephone, post or by text message but we will only do this where we are allowed to do so under data protection law (for example, we will usually need your consent before sending you an email about an upcoming production at Redgrave Theatre). We may ask for your consent to use your information in certain ways as an alternative to relying on any of the bases in the table above. For example, we may ask for your consent before taking or using some photographs and videos if the photograph or video is more intrusive and we cannot rely on legitimate interests. If we ask for your consent to use your personal information you can take back this consent at any time. If you tell us that you do not want to be contacted for any of these purposes then we will of course respect that. Any use of your information before you withdraw your consent remains valid. Please speak to the General Manager or DPA if you would like to withdraw any consent that you have given.
SENDING INFORMATION TO OTHER COUNTRIES
In certain circumstances, we will send your information to countries which do not have the same level of protection for personal information as there is in the UK. For example, we may store your information on cloud computer storage based overseas. We will conduct a risk assessment to determine whether there will be an adequate level of protection in place before we transfer the information. We follow the guidance from the ICO.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-transfers-a-guide/ If you have any questions about the safeguards that are in place please contact the Data Protection Adviser.
FOR HOW LONG DO WE KEEP YOUR INFORMATION?
We keep your information for as long as we need to in order to provide you with access to events and facilities. We will keep some information after you are no longer a customer, for example, so that we can find out what happened if you make a complaint. In exceptional circumstances, we may keep your information for a longer time than usual but we would only do so if we had a good reason and only if we are allowed to do so under
data protection law. For further information regarding our retention of personal data, please contact the DPA.
WHAT DECISIONS CAN YOU MAKE ABOUT YOUR INFORMATION?
From May 2018 you will be able to make various decisions about your information. Some of these are new rights whilst others build on your existing rights. Your rights are as follows:
● Rectification: if information held by the College about you is incorrect you can ask us to correct it.
● Access: you can also ask what information we hold about you and be provided with a copy. This is commonly known as making a subject access request. We will also give you extra information, such as why we use this information about you, where it came from and what types of people we have sent it to.
● Deletion: you can ask us to delete the information that we hold about you in certain circumstances. For example, where we no longer need the information.
● Portability: you can request the transfer of your information to you or to a third party in a format that can be read by computer in certain circumstances.
● Restriction: our use of information about you may be restricted to simply storing it in some cases. For example, if you tell us that the information is inaccurate we can only use it for limited purposes while we check its accuracy.
● Object: you may object to us using your information where:
○ we are using it for direct marketing purposes;
○ the legal basis on which we are relying is either legitimate interests or performance of a task carried out in the public interest. Please see the section "Our legal bases for using your information" above;
○ we are using it for historical or scientific research purposes or archiving purposes. For example, we may keep photographs of your class for historical reasons.
The Director of Corporate Services or DPA can give you more information about your data protection rights.
FURTHER INFORMATION AND GUIDANCE
This notice is to explain how we look after your personal information. The Director of Corporate Services or DPA can answer any questions which you might have. Please speak to the Director of Corporate Services or DPA if:
● you would like to exercise any of your rights listed above; or
● you would like us to update the information we hold about you; or
● you would prefer that certain information is kept confidential.
If you consider that we have not acted properly when using your personal information you can contact the Information Commissioner's Office: ico.org.uk.