How we process data about our students, carers and staff
Under data protection law, individuals have a right to be informed about how we use any personal data that we hold about them. We comply with this right by providing ‘privacy notices’ (sometimes called ‘fair processing notices’) to individuals where we are processing their personal data. This privacy notice explains how we collect, store and use personal data. We, Eerde International Boarding School Netherlands, are the ‘data controller’ for the purposes of data protection law. Our data protection officer is Mr. J. Bosman.
Why do we collect and use data?
In law, we collect and use student information under the General Data Protection Regulations (GDPR) and Dutch law, including Article 6 and Article 9 of the GDPR where processing is necessary for the performance of a task carried out in the public interest.
We use data:
- to support student learning and progression.
- to monitor and report on student progress.
- to provide appropriate pastoral care and safeguard students.
- to assess the quality of our services.
- to be able to contact student, carer or staff
- to process payment information
- to comply with the law regarding data sharing.
The categories of information that we collect include:
- Personal information (such as name, address, copy of passport and visa)
- Contact information (names and contact details)
- Characteristics (such as ethnicity, languages spoken at home)
- Student attendance information (such as sessions attended, number of absences and reasons for absence)
- Student assessment information (such as termly subject marks, exam results)
- Student medical information and details of any support received, including care packages and support plans
- Student behaviour and achievement information (such as commendations, detentions, exclusions)
- Information about safeguarding concerns
- Photographs and moving images
- CCTV images captured in school
- Bank account information
We may also hold data about students that we have received from other organisations, including other schools, local authorities or other organisations.
Legal basis for using data
We only collect and use personal data when the law allows us to. Most commonly, we process it where:
- We need to comply with the law.
- We need it to perform a task in the public interest (to provide our students with an education).
Sometimes, we may also process personal data in situations where:
- Individuals have given consent for us to use it in a certain way.
- We need to protect the individual’s vital interests (or someone else’s interests).
Whilst the majority of the information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will inform you whether you are required to provide certain information to us or if you have a choice in this. Where we have obtained consent to use personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and explain how consent can be withdrawn.
Staff: 7 years
Students/carers: 7 years
Where there have been safeguarding concerns or special educational needs, the retention of student data will be reviewed at this point and decisions about ongoing retention will be made on an individual basis. Stated data retention is a maximum, data which is no longer relevant might be deleted sooner.
Who do we share information with?
We routinely share (student) information with:
- Educational institutions that students attend after leaving us
- The local authority (for admissions, exclusions etc.)
- The Police and Social Services (where there are safeguarding concerns)
- Exam boards (eg. access arrangement for Cambridge and IBDP exams)
In case of health care and learning support:
- External assessment providers (eg. whole school testing)
- Doctor and external healthcare experts (eg. psychologist, counsellor)
- Youth protection services (eg. jeugdzorg, jeugdreclassering, veilig thuis)
We also share personal data with third party organisations which provide services to us. This data is only shared where it is essential for the service to be provided.
We currently provide pupil level data for the following purposes:
- To provide core school business services
- To run core ICT systems (Eg. Google G Suite and iSAMS)
- To support learning through curriculum (Eg. ManageBac, Kognity, ActivLearn)
- Employment and recruitment agencies (Eg. Employment Profit in case of staff)
- Financial service supplier (Eg. Orbys)
Youth support services
Once our pupils reach the age of 13, we are legally required to pass on certain information about them to the local authority, as it has legal responsibilities regarding the education or training of 13-19 year-olds. This information enables it to provide youth support services, post-16 education and training services, and careers advisers. Parents/carers, or pupils once aged 16 or over, can contact our data protection officer to request that we only pass the individual’s name, address and date of birth.
Transferring data internationally
Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.
How to access personal information we hold about you
You can find out if we hold any personal information about you, and how we use it, by making a ‘subject access request’, as long as we judge that you can properly understand your rights and what they mean.
Parents/carers can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 12), or where the child has provided consent.
If we do hold information about you, we will:
- Give you a description of it.
- Tell you why we are holding and using it, and how long we will keep it for.
- Explain where we got it from, if not from you or your parents.
- Tell you who it has been, or will be, shared with.
- Let you know if we are using your data to make any automated decisions (decisions being taken by a computer or machine, rather than by a person).
- Give you a copy of the information.
You may also ask us to send your personal information to another organisation electronically in certain circumstances.
If you want to make a request, please contact us by using our contact form.
Your rights over your data
You have other rights over how your personal data is used and kept safe, including the right to:
- Say that you don’t want it to be used if this would cause, or is causing, harm or distress.
- Stop it being used to send you marketing materials.
- Say that you don’t want it used to make automated decisions (decisions made by a computer or machine, rather than by a person).
- Have it corrected, deleted or destroyed if it is wrong, or restrict our use of it.
- Claim compensation if the data protection rules are broken and this harms you in some way.