Privacy Policy
Review Date: September 2023
Next Review Date: September 2024
Signed: Changing Education Group
Changing Education Limited operates in accordance with the principles of the Data Protection Act 2018 and the UK General Data Protection Regulations. Our registration reference with the Information Commissioner’s Office (ICO) is ZA091427.
1. Aims
Changing Education respects the privacy of every individual who visits our website, uses our products, services, and software, contacts us, and works with us. We are committed to safeguarding your privacy and have written the following privacy notice to explain what information we collect, and what we do with it in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This policy applies to all personal data, regardless of whether it is in paper or electronic format related to students, teachers, parents, visitors, suppliers, and others.
For information related to former and current staff, or if you have applied for a role with Changing Education Group, then please request a copy of our Data Protection Policy, which is available from the Data Officer, Stephen Hackney. Contact details are at the end of this notice. This policy is reviewed annually, or where legislation and laws change.
2. Who is the Data Controller/Processor?
If you visit our website, are a former or current member of staff, or one of our suppliers, then the Data Controller is Changing Education Limited, of The Cheshire College South & West, Dane Bank Avenue, Crewe, Cheshire, Crewe CW2 8AB (Company number 06677456).
If you are using our delivery products, services, and software (student, teacher, & parent), then we are a Data Processor. If you have a concern or a query on how your data is managed, we would ask that in the first instance, you contact the educational provider that engaged us.
3. Definitions
Term | Definition |
Personal data | Any information relating to an identified, or identifiable individual.
This may include the individual’s: ● Name (including initials) It may also include factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity. |
Special categories of personal data | Personal data which is more sensitive and so needs more protection, including information about an individual’s:
● Racial or ethnic origin |
Processing | Anything done to personal data, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disseminating, erasing, or destroying.
Processing can be automated or manual. |
Data subject | The identified or identifiable individual whose personal data is held or processed. |
Data controller | A person or organisation that determines the purposes and the means of the processing of personal data. |
Data processor | A person or other body, other than an employee of the data controller, who processes personal data on behalf of the data controller. |
Personal data breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. |
4. How do we obtain your personal data?
We may obtain your personal data in a variety of ways, including
- From inbound enquiries to info@/help@changingeducation.co.uk and other email inboxes such as individual email accounts of Changing Education employees
- From inbound phone calls where we see the incoming phone number and you pass us information verbally
- From data you supply while we are working together during commissioned projects, or during new business activities and the act of commissioning new work
- From networking activities and events, for example, exchanging business cards or connecting on LinkedIn.
- From recommendations or references about you from others
- From recruitment activities, including inbound CV submissions and employee onboarding
- From your registration onto our software systems
- From website analytics
- From you signing up to our mailing list via our website or social media pages
- From contact from and conversations with our suppliers
Any information you give us should be accurate, and if you are supplying anyone else’s data, you must ensure that you have the authority and legal basis to do so.
5. What personal data is processed?
5.1. Student
If you are a student, then we will process the following information:
- Contact details (name, address, email address, and phone number),
- academic performance data,
- and in a small number of instances, some medical information to ensure that you receive the right support in your placement environment.
If you have any queries, then please contact your education provider.
5.2. General:
Depending on your relationship and activity with Changing Education, we may process different types of information about you, including:
- Name
- Email address
- Phone number
- Job title
- Business name and address
- IP addresses
- Social media usernames/handles
- Browser information
- Bank account information
6. Who is my information shared with?
Your personal data will not be sold or disclosed to anyone outside of Changing Education or Changing Education’s appointed suppliers, without obtaining your prior consent – unless we are required to do so by law.
For our general day-to-day data processing activities, we use third-party organisations (also called sub-processors) to help us administer and monitor the services we provide:
- for the provision of software services to enable the management of our customers, staff, and office administration
- for payroll and financial accounting
- to share newsletters, promotional details, industry news, or other information that may be of interest to you
- to help us improve our services
- for the administration of our website and customer interactions
- for any legal guidance in the provision of our services
For full details of the third-party suppliers we use, please contact us at the address below.
7. How is your personal information used?
The personal data you give us may be used in a variety of ways:
- Communicating with you as a customer, about new or currently commissioned projects
- Responding to recruitment enquiries and progressing the recruitment process, storing your details for future reference if new positions become available
- Performing account tasks, such as raising and sending invoices
- Storing in databases for reference by appropriate Changing Education employees and our suppliers
- Retention of your personal information
We will only keep your personal data for as long as it is relevant to the purpose for which it was collected or for as long as we are required to keep it by law. As part of the certification process to the IASME standard, we have developed a retention policy. If you would like a copy of this, then please contact our Data Officer at the address below.
8. What is our legal basis for processing your data?
Depending on your relationship and activity with Changing Education, our legal basis for processing your personal data may be different.
In the case of signing up to our mailing list, we rely on your consent given at the time of sign-up, and you should consult the privacy notices and messages on those forms.
In the case of employees or customers of Changing Education, the processing is necessary for the performance of a contract between yourself and Changing Education.
For other activities, such as storing CVs sent to us as part of recruitment, processing is necessary for the purposes of legitimate interests of Changing Education.
9. Sharing Personal Data
We will not normally share personal data with anyone else, but may do so where:
- There is an issue with a pupil or parent/carer that puts the safety of our staff at risk
- We need to liaise with other agencies – we will seek consent as necessary before doing this
- Our suppliers or contractors need data to enable us to provide services to our staff and pupils – for example, IT companies. When doing this, we will:
- Only appoint suppliers or contractors that can provide sufficient guarantees that they comply with data protection law
- Establish a data-sharing agreement with the supplier or contractor, either in the contract or as a standalone agreement, to ensure the fair and lawful processing of any personal data we share
- Only share data that the supplier or contractor needs to carry out their service, and information necessary to keep them safe while working with us
We will also share personal data with law enforcement and government bodies where we are legally required to do so, including for:
- The prevention or detection of crime and/or fraud
- The apprehension or prosecution of offenders
- The assessment or collection of tax owed to HMRC
- In connection with legal proceedings
- Where the disclosure is required to satisfy our safeguarding obligations
- Research and statistical purposes, as long as personal data is sufficiently anonymised or consent has been provided
We may also share personal data with emergency services and local authorities to help them to respond to an emergency situation that affects any of our pupils or staff. Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.
10. Children and subject access requests
Personal data about a child belongs to that child, and not the child’s parents or carers. For a parent or carer to make a subject access request with respect to their child, the child must either be unable to understand their rights and the implications of a subject access request or have given their consent.
Children aged 13 and above are generally regarded to be mature enough to understand their rights and the implications of a subject access request. Therefore, most subject access requests from parents or carers of pupils from our service may not be granted without the express permission of the pupil. This is not a rule and a pupil’s ability to understand their rights will always be judged on a case-by-case basis.
Please note, that Changing Education is a Data Processor of this information. The education provider is the Data Controller. If you have any concerns or queries on the data that is passed to Changing Education in order that we can provide a service, please contact the education provider. We are unable to respond to any requests from a child, their parent, or carer.
For more information on the role of Data Controllers and Data Processors, then please see the additional guidance on the Information Commissioners website here.
11. Your rights
You have the right to request access to the personal data that we hold about you – this is known as a Subject Access Request (SAR). If you wish to make a SAR about the personal data we hold about you, please email info@changingeducation.co.uk. We will normally respond within 30 days to provide you with the data we hold about you in a commonly-used electronic format. There is no charge for this service, however, if requests become manifestly unfounded, excessive, or repetitive, we may charge a fee appropriate to the administrative work required. This time can be extended by two months if the request is complex.
You have the right to request a rectification of your personal data. To do so, please email info@changingeducation.co.uk. We will respond within 30 days, although can be extended by two months if the request for rectification is complex. If Changing Education decides not to act in response to a request for rectification, we will explain to you our reasons.
You have the right to the deletion or removal of your personal data where there is no compelling reason for its continued processing. To request deletion of your personal data, please email info@changingeducation.co.uk. We may refuse to comply with a request for erasure in some circumstances, for example in the case of requiring the information as part of a legal obligation, such as our statutory accounts and records.
You have the right to suppress or restrict the processing of your personal data. To request this, please email info@changingeducation.co.uk .
You have the right to data portability, which allows you to obtain and reuse your personal data for your own purposes across different services. To request this, please email info@changingeducation.co.uk. We will respond within 30 days to provide you with the data we hold about you in a commonly-used electronic format. This time can be extended by two months if the request is complex.
You have the right to object to:
- – processing based on legitimate interests
- – direct marketing
- – processing for purposes of scientific/historical research and statistics.
To make an objection to processing, please email info@changingeducation.co.uk.
12. How we protect your information
We take a range of organisational and technical measures to protect your information. We maintain strict physical, electronic, and administrative safeguards to protect your personal data from unauthorised or inappropriate access.
We have invested in IASME, a scheme that includes Cyber Essentials. IASME is aligned with the international standard for information security called ISO27001.
Where appropriate we use industry-standard encryption techniques, including encrypting web traffic using HTTPS. Regular security reviews are held by Changing Education and in consultation with our software developers to ensure that our systems and processes remain safe and secure for the protection of your personal data. We have invested in the use of world-leading technologies that themselves have invested in ensuring that their systems and the protection of Client data are a top priority.
Where you have registered onto our software systems with a self-chosen password, we ask you not to use that same password on any other systems. You are responsible for the security of your own passwords. We recommend following the guidance on passwords from the National Cyber Security Centre which can be found here.
13. Is any of my data sent outside of the EU?
Yes. Wherever possible we select data centers in the EU, however, some data is stored in the US, and we have listed these suppliers below.
We select suppliers carefully and in many cases, Model Contracts exist between Changing Education and those suppliers in order to ensure the suppliers meet the standards required to protect your personal data.
Third Country
(non EU / non EEA / International organisation) |
Purpose of processing | Safeguards in place and further information |
Connect
Business Processing |
Information is transferred to the US using standard contractual clauses : | |
Postmark | Student -> workplace -> college / school emails | Information is potentially transferred to the US using Standard Contractual clauses : |
Sage | Accountancy, invoicing etc | Information is transferred to the US using model clause agreements : |
DocuSign | Contract Signature tools | Information is potentially transferred to the US using Binding Corporate Rules.: |
14. How We Use Cookies
A cookie is a small amount of data, which often includes a unique identifier that is sent to your computer or mobile phone browser from a website’s server and is stored on your device. Each website can send its own cookie to your browser if your browser’s preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other websites. Many websites do this whenever a user visits their website to track online traffic flows.
As a visitor, you can edit your browser settings to accept all cookies, to notify them when a cookie is issued, or not to receive cookies at any time. The last of these means that the website might not work properly. Each browser is different, so check the Help menu of your browser to find out how to change your cookie preferences.
When you visit this website, the pages you see, along with a cookie, are downloaded to your device. Many websites do this because cookies enable website publishers to do useful things like identify whether the device (and probably its user) has visited the website before. This is done on a repeat visit by checking to see, and finding, the cookie left there on the last visit.
15. Third-Party Cookies
During your visit, you may notice some cookies that are not related to this site. When you visit a page with content embedded from, for example, YouTube or Flickr, you may be presented with cookies from these websites. We do not control the dissemination of these cookies. You should check the third-party websites for more information about these.
16. How to control and delete cookies
We will not use cookies to collect personally identifiable information about you. However, if you wish to restrict or block the cookies that are set by this website, or indeed any other website, you can do this through your browser settings. The Help function within your browser should tell you how.
Alternatively, you may wish to visit www.aboutcookies.org which contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your computer as well as more general information about cookies. For information on how to do this in the browser of your mobile phone, you will need to refer to your handset manual.
Please be aware that restricting cookies may impact the functionality of this website.
The cookies we use
- – _ga, _gid
- – Google Analytics
This is a service used to monitor traffic on the site and its pages. Google stores the information collected by the cookie on servers in the United States. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google
Find out how to manage cookies on popular browsers:
To find information relating to other browsers, visit the browser developer’s website.
To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.
17. Links to Other Websites
Our website and other communications may contain links to other third-party websites. You should be aware that we do not have any control over other these third-party websites, and therefore we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites. Such sites are not governed by this privacy notice.
You should exercise caution and look at the privacy notice applicable to the website in question.
18. Marketing
From time to time we may perform limited marketing for which we have a legitimate interest to do so. We source email details from Sprint Education who are the Data Controller.
If you wish to unsubscribe from any of our newsletters then please either click the button at the bottom of any newsletters that are issued or drop us a line at the details provided below. If you wish to ensure that you no longer receive any emails from us or other companies then please contact Sprint Education at https://sprint-education.co.uk/about/contact
19. Contact
We have appointed a Data Officer. Our Data Officer is Stephen Hackney and is contactable via 01625 827309 or at the details below.
For any questions about this Privacy Notice, or Changing Education’s approach to data protection, please contact us:
Email: info@changingeducation.co.uk
Address: The Cheshire College, Dane Bank Avenue, Crewe, Cheshire, Crewe CW2 8AB
If we are unable to satisfy any complaint or query that you may have, or if you are still concerned, you can contact the Information Commissioners Office at www.ico.org.uk
Changes to our Privacy Policy:
We keep our privacy policy under regular review, and we will place any updates on this web page.