Privacy notice – Website
Our website address is: https://camlang.co.uk.
What personal data we collect and why we collect it
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
Visitor comments may be checked through an automated spam detection service.
Privacy Notice – General Statement
The Cambridge centre for Languages (CCL) is serious in its commitment committed to the protection of all personal and sensitive data for which it holds responsibility as the Data Controller and the handling of such data in line with the data protection principles and the Data Protection Act (DPA). https://ico.org.uk/for-organisations/guide-to-data-protection/data-protectionprinciples/ Changes to data protection legislation (GDPR May 2018) shall be monitored and implemented in order to remain compliant with all requirements.
The legal bases for processing data are as follows – (a) Consent: the member of staff/student/parent has given clear consent for the school to process their personal data for a specific purpose. (b) Contract: the processing is necessary for the member of staff’s employment contract or student placement contract. (c) Legal obligation: the processing is necessary for the school to comply with the law (not including contractual obligations)
The members of staff responsible for data protection are Laura Chen, James Errington, Daniel Taylor and Paul Booth. However all staff must treat all student information in a confidential manner and follow the guidelines as set out in this document.
CCL are also committed to ensuring that its staff are aware of data protection policies, legal requirements and adequate training is provided to them through training session prior to and during the course period.
Our data processing activities will be registered with the Information Commissioner’s Office (ICO) as required of a recognised Data Controller. Details are available from the ICO: https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/
Changes to the type of data processing activities being undertaken shall be notified to the ICO and details amended in the register.
Breaches of personal or sensitive data shall be notified within 72 hours to the individual(s) concerned and the ICO.
Personal and Sensitive Data
All data within the school’s control shall be identified as personal, sensitive or both to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates. The definitions of personal and sensitive data shall be as those published by the ICO for guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/keydefinitions/
The principles of the Data Protection Act shall be applied to all data processed:
• ensure that data is fairly and lawfully processed
• process data only for limited purposes
• ensure that all data processed is adequate, relevant and not excessive
• ensure that data processed is accurate
• not keep data longer than is necessary
• process the data in accordance with the data subject’s rights
• ensure that data is secure
• ensure that data is not transferred to other countries without adequate protection.
Fair Processing / Privacy Notice
We shall be transparent about the intended processing of data and communicate these intentions via notification to staff, parents and pupils prior to the processing of individual’s data. Notifications shall be in accordance with ICO guidance and, where relevant, be written in a form understandable by those defined as ‘Children’ under the legislation. https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-noticestransparency-and-control/
There may be circumstances where CCL is required either by law or in the best interests of our students or staff to pass information onto external authorities, for example the Local Children’s Safeguarding Board. These authorities are up to date with data protection law and have their own policies relating to the protection of any data that they receive or collect.
The intention to share data relating to individuals to an organisation outside of our school shall be clearly defined within notifications and details of the basis for sharing given. Data will be shared with external parties in circumstances where it is a legal requirement to provide such information. Any proposed change to the processing of individual’s data shall first be notified to them. Under no circumstances will the school disclose information or data:
• that would cause serious harm to a child or anyone else’s physical or mental health or condition
• indicating that the child is or has been subject to child abuse or may be at risk of it, where the disclosure would not be in the best interests of the child
• recorded by the pupil in an examination
• that would allow another person to be identified or identifies another person as the source, unless the person is an employee of the school or a local authority or has given consent, or it is reasonable in the circumstances to disclose the information without consent. The exemption from disclosure does not apply if the information can be edited so that the person’s name or identifying details are removed
• in the form of a reference given to another school or any other place of education and training, the child’s potential employer, or any national body concerned with student admissions.
In order to assure the protection of all data being processed and inform decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individual’s privacy in holding data related to them. Risk and impact assessments shall be conducted in accordance with guidance given by the ICO: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/ https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/ https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2014/02/privacyimpact-assessments-code-published/
Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and reporting of their performance. The security arrangements of any organisation with which data is shared shall also be considered and where required these organisations shall provide evidence of the competence in the security of shared data.
Data Access Requests (Subject Access Requests)
All individuals whose data is held by us, has a legal right to request access to such data or information about what is held. We shall respond to such requests within one month and they should be made in writing to: James Errington, Centre Director, The Cambridge Centre for Languages, 4 Brooklands Avenue, Cambridge, CB2 8BB. No charge will be applied to process the request. Personal data about pupils will not be disclosed to third parties without the consent of the child’s parent or carer, unless it is obliged by law or in the best interest of the child. Data may be disclosed to the following third parties without consent:
• Dietary requirements to our partner schools when they are providing food for students
• Examination authorities in case of students registering for an examination as part of a CCL course.
• Health authorities – as obliged under health legislation, the school may pass on information regarding the health of children in the school to monitor and avoid the spread of contagious diseases in the interest of public health.
• Police and courts – if a situation arises where a criminal investigation is being carried out we may have to forward information on to the police to aid their investigation. We will pass information onto courts as and when it is ordered.
• Social workers and support agencies – in order to protect or maintain the welfare of our pupils, and in cases of child abuse, it may be necessary to pass personal data on to social workers or support agencies.
Right to be Forgotten
Where any personal data is no longer required for its original purpose, an individual can demand that the processing is stopped and all their personal data is erased by the school including any data held by contracted processors.
Photographs and Video
Images of staff and pupils may be captured at appropriate times and as part of educational activities for use in school only. Consent will be obtained prior to courses taking place for students and staff to allow their photographs to be used in publicity materials for CCL. Unless such prior consent from parents/pupils/staff has been given, the school shall not utilise such images for publication or communication to external sources. It is the school’s policy that external parties (including parents) may not capture images of staff or pupils during such activities without prior consent.
Location of information and data
Hard copy data, records, and personal information are stored out of sight and in a locked cupboard. The only exception to this is medical information that may require 6 immediate access during the school day. This will be stored with the Accommodation & Welfare Manager. Sensitive or personal information and data should not be removed from the school site, however the school acknowledges that some staff may need to transport data between the school and their home in order to access it for work in the evenings and at weekends. This may also apply in cases where staff have offsite meetings, or are on school visits with pupils.
The following guidelines are in place for staff in order to reduce the risk of personal data being compromised:
• Paper copies of data or personal information should not be taken off the office site. If these are misplaced they are easily accessed. If there is no way to avoid taking a paper copy of data off the school site, the information should not be on view in public places, or left unattended under any circumstances.
• Unwanted paper copies of data, sensitive information or pupil files should be shredded. This also applies to handwritten notes if the notes reference any other staff member or pupil by name.
• Care must be taken to ensure that printouts of any personal or sensitive information are not left in printer trays or photocopiers.
• If information is being viewed on a PC, staff must ensure that the window and documents are properly shut down before leaving the computer unattended. Sensitive information should not be viewed on public computers.
• If it is necessary to transport data away from the school, it should be downloaded onto a USB stick. The data should not be transferred from this stick onto any home or public computers. Work should be edited from the USB, and saved onto the USB only.
• USB sticks that staff use must be password protected. These guidelines are clearly communicated to all school staff, and any person who is found to be intentionally breaching this conduct will be disciplined in line with the seriousness of their misconduct.
CCL recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk. All data held in any form of media (paper, tape, electronic) shall only be passed to a disposal partner with demonstrable competence in providing secure disposal services. All data shall be destroyed or eradicated to agreed levels meeting recognised national standards, with confirmation at completion of the disposal process. Disposal of IT assets holding data shall be in compliance with ICO guidance: https://ico.org.uk/media/fororganisations/documents/1570/it_asset_disposal_for_organisations.pdf