Who is the Data Controller?
The data controller is USP College, firstname.lastname@example.org.
Why do we collect personal information?
The organisation collects and processes personal data relating to its students to effectively manage their learning and to meet its statutory obligations as a Further Education College. USP College is committed to being transparent about data it collects, how it uses that data and to meet its data protection obligations.
What personal information does the organisation collect?
1. We collect the following personal data under GDPR Article 6c (Legal Obligation), and 6e (Public Task) in order to meet our legal obligations with the ESFA and HEFCE. They are also necessary in order for us to carry out our public task to provide education and training.
- Details about yourself including your name, date of birth and gender
- Contact details including address, telephone number and email address
- Details of your previous qualifications, employment and educational history
- Information about your nationality and residency, and previous address if applicable
- Information about medical or health conditions, including whether or not you have a learning disability or difficulty
- Household information (this is collected only for ESFA and is not used by USP College).
2. We collect data about criminal convictions in order to protect vital interests of others (GDPR Article 6d, Vital Interest) and also in order to carry out our duty to support those with a conviction GDPR Article 6e (Public Task).
3. We collect emergency contacts GDPR Article 6d (Vital Interests) for those over age 18 at the start of the academic year, the information is optional.
4. We collect parent/carer details for those under 18 at the start of the academic year under GDPR Article 6e (Public Task) in order to support our duty to support the education and learning as fully as possible.
How is this collected?
Most of the information above is collected directly from yourself via an application or enrolment form. However, some information such as previous qualifications, or special needs, may be collected from other organisations such as the DfE, the Local Education Authority, or your previous school.
Where do we store data?
Data will be stored in a range of different places, including the electronic student information management systems, on paper in stored secure places, or on electronic documents within a secure network.
Why does the organisation need to process personal data?
USP College needs to process data so we can provide you with the highest standards of education and training we are able to give and to meet its legal obligations from government organisations including the DfE and HEFCE. Data regarding employment status and benefits are required to assess your eligibility for fee remission or support.
Where the organisation processes other special categories of personal data, such as information about ethnic origin, disability or health, this is done for the purposes of equal opportunities monitoring and to monitor our service provision to improve our services to specific groups. We also use the data so we can personalise the provision to each student to provide him or her with the best possible opportunities to succeed. This may include, but is not limited to, sharing relevant data with prospective employers with a view to providing work experience. Any information that has been supplied under the lawful basis of consent can be withdrawn at any time by emailing the Data Protection Officer at email@example.com.
Contact details will not be used for marketing purposes without your consent, which can be withdrawn at any time. However, the college will use the contact information to contact you in order to carry out our duties to you, for example, to notify you of a change of course date, and also to obtain data where legally required, such as destination surveys.
Who has access to data?
Your information may be shared internally with any staff that need the data to provide services to the student. This will include special categories of data where appropriate.
Where USP College engages non-statutory third parties to process personal data on its behalf, we require them to do so on the basis of written instructions. They are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
The organisation shares your data with third parties where there is a legal obligation, including ESFA, HEFCE, Learner Records Service (LRS) and Essex County Council (ECC) for students aged 16-18. Collection of student destinations is a requirement of the college and this will be carried out on our behalf by an external organisation who will only use your data for this specific purpose. On occasion, the college may share your data with our external printing companies for personalised mailings regarding your application or the college.
Information to support an application will be shared with UCAS where a student has engaged in the higher education admissions process. This will include a comprehensive overview of academic and personal achievements, as well as any relevant supportive information that contextualises a student's educational journey.
Do we process data outside the EEA?
USP College will not transfer your data to countries outside the European Economic Area.
How does the organisation protect data?
The organisation takes the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. The Data Protection policy can be viewed on our website or can be obtained in a paper version by contacting our Reception.
How long does the organisation keep data?
All data collected and processed on behalf of the ESFA or HEFCE will be held for as long as we are legally required to do so, currently until at least 2030. Other data will be held as long as is necessary to fulfil our duty as a college. Any data provided by consent may be deleted on request.
What rights do you have?
As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data on request
- require the organisation to change incorrect or incomplete data
- require the organisation to delete or stop processing your data, for example where the data is no longer necessary for the stated purposes of processing
- object to the processing of your data where the organisation is relying on its legitimate interests as the legal ground for processing. The college will only use “legitimate interests” as grounds for processing in very few situations.
If you would like to exercise any of these rights, please email the Data Protection Officer at firstname.lastname@example.org.
Who can I complain to?
If you believe that USP College has not complied with your data protection rights, you can complain to the Information Commissioner’s Office. For further information, visit www.ico.org.uk/for-organisations/report-a-breach.
What if I do not provide personal data?
Failure to provide data required to meet legal obligations will result in us not being able to enrol you as a student. Failure to provide other information (except that requiring consent), for example learning difficulty information, may result in the college being unable to provide the standard of service we would wish to provide.
Does USP College use automated decision-making?
No, the college does not use automated decision-making.