GDPR PRIVACY NOTICE
FOR INDEPENDENT CONTRACTORS, CHARITY MEMBERS, CHILDREN ATTENDING LES CROCODILES AND THEIR PARENTS / GUARDIAN
Les Crocodiles is a Charity Incorporated Organisation (CIO) entered in the Register of Charities at the Charity Commission under the charity number 1158669. Its registered office address is 83A Downs Park Road, LONDON E5 8NP.
The objects of the charity are “To advance the education for the public benefit by teaching the French language and French culture, heritage and history to children in East and North London and to adults through the provision of after school, weekend and holiday classes and through organising events open to the general public as the trustees shall determine.”
This privacy notice describes how Les Crocodiles collects and uses personal information about independent contractors - including teachers, assistants and any self-employed individuals in contract with the school (“contractors”), children attending the charity school (“Child” or “Children”) and the parents of the Children (“Parents”) (known collectively as “You” or “Your”), in accordance with the General Data Protection Regulation (GDPR).
A child is defined as anyone under the age of 18, in accordance with the UN Convention on the Rights of the Child which defines a child as everyone under 18 unless, "under the law applicable to the child, majority is attained earlier" (Office of the High Commissioner for Human Rights, 1989).
When we refer to someone with parental responsibility for a child we mean someone who, according to the law in the child’s country of residence, has the legal rights and responsibilities for a child that are normally afforded to parents. This will not always be a child’s ‘natural parents’ and parental responsibility can be held by more than one natural or legal person.
2. WHAT IS THE PURPOSE OF THIS DOCUMENT?
We are a data controller for the purpose of the Data Protection Act. This means that we are responsible for deciding how we hold and use personal information about You. This notice describes the kind of information we hold about You, why we are holding this information and how we are processing it.
The school manager acts as a representative for the school in regards to its data controller responsibilities. They can be contacted on email@example.com
The chair is the Data Protection Officer (DPO). Their role is to oversee and monitor the school’s data protection procedures, and to ensure they are compliant with the GDPR. The DPO can be contacted by email firstname.lastname@example.org .
We take our responsibilities as a data controller seriously and we are committed to protecting the privacy and security of your personal information. We may update this notice at any time but if we do so, we will provide You with an updated copy of this notice as soon as reasonably practical.
3. DATA PROTECTION PRINCIPLES
The following principles set out by GDPR lie at the heart of our approach to processing personal data.
1. We use data lawfully, fairly and in a transparent way
2. We collect data only for valid purposes that we have clearly explained to You
3. We collect only relevant data to the purpose we have told You about and limited to those purposes.
4. We ensure that data are accurate and kept up to date
5. We keep personal data for no longer than necessary for the purposes for which they are processed and as set out in our Retention Policy.
6. Your personal data are processed using appropriate technical and organisational measures to ensure they remain secure, confidential and protected.
7. We shall be able to demonstrate compliance with these principles.
4. TYPES OF PERSONAL DATA WE PROCESS
Personal data, or personal information, means any information about an individual from which that person is identified or identifiable. There are “special categories” of more sensitive personal data which require a higher level of protection, such as information about a person’s health or ethnicity. Les Crocodiles holds both sensitive and non-sensitive data.
We process personal data about prospective, current and past: pupils and their parents; independent contractors, suppliers, donors, friends and supporters; and other individuals connected to or visiting the charity school.
The personal data we process takes different forms – it may be factual information, expressions of opinion, images or other recorded information which identifies or relates to a living individual.
a. Independent contractors & members
We collect, store and use the following categories of personal information about Teachers, Assistants, other self-employed individuals as well as board and active members of the charity.
- Personal contact incl. name, address, telephone numbers, email address
- Date of birth
- Bank account details
- Recruitment information (incl. references and information included in a CV or cover letter or as part of the application process).
- Employment records (including start date, function, work history, qualifications and training).
- Information about the usage of our information and communications systems.
- Records of any reportable death, injury, disease or dangerous occurrence.
- Contractors files and training records.
- Minutes of meetings, email messages
We also collect, store and use the following “special categories” of more sensitive personal information, in accordance with applicable law (including with respect to Safeguarding Policy):
- Criminal records information (Disclosure of Barring Service)
We collect, store and use the following categories of personal information about children.
- Personal contact incl. name, home address
- Date of birth
- Student class attendance, observations and assessment data
- Mainstream school name and class
- French language assessment information
- Emergency contact details
- Images, audio, video recordings, drawings, documents, email messages
- Siblings information when sibling also registered
- Photo consent form
- Records of any reportable death, injury, disease or dangerous occurrence
We also collect, store and use the following “special categories” of more sensitive personal information, in accordance with applicable law (including with respect to Safeguarding Policy and Equality legislation):
- Health information (vaccination, medication, allergies, surgery details, general health)
c. Parents / guardian / partner
We collect, store and use the following categories of personal information about Parents / Guardian and partner.
- Personal contact incl. name, home address, telephone numbers, email address
- Relationship to child
- State Benefits information
- Bank account details if paying by direct debit or claiming a refund
- User behaviour information from newsletter, website and Facebook
We collect most of the personal data we process directly from the individual concerned (or in the case of pupils, from their parents). In some cases, we collect data from third parties (for example, the Disclosure and Barring Service, or professionals working with the individual) or from publicly available resources. Personal information about Children and Parents / Guardian as well as Emergency contact details are collected through the enrolment process using a secure registration form. Complementary information may also be shared by emails.
5. HOW IS YOUR PERSONAL INFORMATION COLLECTED?
We will only use Your personal information when the law allows us to. Most commonly, we will use Your personal information in the following circumstances:
(1) Where we need to perform the contract we have entered into with You.
(2) Where we need to comply with a legal obligation
Though it is likely to be rare, we may also collect and process personal information on the grounds of legitimate interest or personal information for which an explicit consent is required.
Whilst the majority of the personal data you provide to the school is mandatory, some is provided on a voluntary basis. When collecting data, the school will inform you whether you are required to provide this data or if your consent is needed. Where consent is required, the school will provide you with specific and explicit information with regards to the reasons the data is being collected and how the data will be used.
a. Independent contractors & members
All information described in section 4.a of this document are collected to allow us to perform our contracts with independent contractors and members and to enable us to comply with legal obligations (Safeguarding policy). We process the data for the following purposes:
- To appoint independent contractors and new board and active members;
- To pay invoices;
- To administer the contract we have entered into with the independent contractor;
- To conduct reviews and appraisals of performance;
- To assess qualifications, training and development requirements;
- To conduct of any grievance, capability or disciplinary procedures;
- To maintain appropriate human resources records for current and former staff;
- To provide references;
- To administer and implement rules and policies for independent contractors & members;
- To comply with health and safety obligations;
- To monitor the use of IT systems to ensure compliance to policies;
- To monitor Equal opportunities
All information described in section 4.b of this document are collected to allow us to perform our contracts with children and to enable us to comply with legal obligations (Safeguarding policy). We process the data for the following purposes:
- To manage school admissions;
- To administer school curriculum and timetable;
- To support pupil teaching and learning;
- To monitor and report on pupil progress;
- To provide library services;
- To provide appropriate pastoral care;
- To assess the quality of our services;
- To administer and implement rules and policies for pupils;
- To assess the performances of the school;
- To carry out fundraising;
- To comply with the law regarding Safeguarding
c. Parents / Guardian / Emergency contacts
All information described in section 4.c of this document are collected to allow us to perform our contracts with parents / guardian in relation to child enrolment and to enable us to comply with legal obligations (Safeguarding policy). We process the data for the following purposes:
- To administer and implement rules and policies for parents / guardian;
- To report on a Child’s attendance and progress;
- To contact a Parent or a Child’s emergency contact about their Child;
- To administer invoices and collect fees;
- To improve communication towards parents / guardian;
- To fulfil our charitable mission: to advance the education for the public benefit
If Independent contractors and Parents fail to provide personal information
If independent contractors and Parents fail to provide certain information when requested, we may not be able to perform the respective contracts we have entered into with Independent Contractors and Parents, or we may be prevented from complying with our respective legal obligations to independent contractors, Children and Parents.
6. PURPOSES FOR WHICH WE COLLECT AND PROCESS PERSONAL DATA
”Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data. We may process special categories of personal information in the following circumstances:
1. In limited circumstances, with Independent Contractors or Parent explicit written consent.
2. Where we need to carry out our legal obligations or exercise rights in connection with Independent Contract.
3. Where it is needed in the public interest, such as for equal opportunities monitoring. Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect an Independent Contractors, a Child or a Parents’ interests (or someone else’s interests) and the Independent Contractors, Child or Parent as is appropriate is not capable of giving consent, or where the Independent Contractors or Parent has already made the information public.
7. HOW WE USE PARTICULARLY SENSITIVE PERSONAL INFORMATION
We envisage that we will hold information about criminal convictions. We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so, which includes but is not limited to Disclosure and Barring Service (“DBS”) checks. Where appropriate, we will collect information about criminal convictions as part of the appointment process or we may be notified of such information directly by you in the course of you working for us. We will use information about criminal convictions and offences in the following ways:
• To conduct a DBS check on each Independent Contractor as well as any individual in regular contact with children as per Safeguarding policy, to record the date of the DBS check, the number of the DBS check and the name of the body conducting the DBS check. We are allowed to use your personal information in this way to carry out our obligations. We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data.
8. INFORMATION ABOUT CRIMINAL CONVICTIONS
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. Les Crocodiles does not make any decision on that basis.
9. AUTOMATED DECISION-MAKING
We may have to share Independent contractors, charity members, Child or Parent data with third parties, including third-party service providers.
We will share Your personal information with third parties where required by law, where it is necessary to administer the working relationship with You or where we have another legitimate interest in doing so.
Most of our systems are administered by third parties and cloud storage providers, eg hosted databases, school website, school posts and messages and school emails. This is always subject to contractual assurances that personal data will be kept securely. We do not allow our third-party service providers to use Your personal data for their own purposes. We only permit them to process Your personal data for specified purposes and in accordance with our instructions.
We may share personal data with French and Francophone public institutions and public bodies for fundraising purposes, including the AEFE (l’Agence pour l’enseignement du Français à L’Etranger) and the Parapluie FLAM (Français Langue Maternelle).
We may also need to share Your personal information with a regulator or to otherwise comply with the law. For example, as a Charity Incorporated Organisation, Les Crocodiles is required to have its accounts independently examined.
We do not otherwise share or sell personal data to other organisations for their own purposes.
10. DATA SHARING
Les Crocodiles uses various cloud-based services and cloud storage for the processing of Your Personal data. These companies are “data Processors” under GDPR.
Data Processors include
- Salesforce: for the management of contacts, registration process, management of classes.
- Microsoft Office 365: emails, cloud storage, collaboration, production de documents
- Quickfile: accounts & finances, invoices
- ClassDojo: attendance & evaluation, communication with parents
- Mailchimp: general communication
We also use Paypal and GoCardless services to process payments of tuition fees. They are also a data controller of Your personal data.
We also use Google Analytics – a data processor, to understand how les-crocodiles.org is used and to make improvements to the website. You can choose not to be tracked by Google Analytics using Google Analytics Opt-out Browser Add-on. This add-on can be found here: https://tools.google.com/dlpage/gaoptout/
As a consequence, Your personal data may be transferred to countries or territories around the world.
11. DATA TRANSFERS
We will only retain Your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our Retention policy. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of Your personal data, the purposes for which we process Your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise Your personal information so that it can no longer be associated with You, in which case we may use such information without further notice to You. Once you are no longer an Independent contractor, a charity member, or a Child benefiting from the school services or a Parent, as is appropriate, we will retain and securely destroy your personal information in accordance with our data retention policy OR applicable laws and regulations.
12. DATA RETENTION
Your duty to inform us of changes
It is important that the personal information we hold about You is accurate and current. Please keep us informed if Your personal information changes during your contractual relationship with us.
Your rights in connection with personal information
Under data protection legislation, You have the right to request access to information that we hold.
Under certain circumstances, by law You have the right to:
• Request access to Your personal information (commonly known as a “data subject access request”). This enables You to receive a copy of the personal information we hold about You and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about You. This enables You to have any incomplete or inaccurate information we hold about You corrected.
• Request erasure of your personal information. This enables Employees or Parents to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove Your personal information where You have exercised Your right to object to processing (see below).
• Object to processing of Your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about Your particular situation which makes You want to object to processing on this ground. You also have the right to object where we are processing Your personal information for direct marketing purposes.
• Request the restriction of processing of Your personal information. This enables Independent contractors, charity members or Parents, as is appropriate, to ask us to suspend the processing of personal information about You, for example if You want us to establish its accuracy or the reason for processing it.
• Request the transfer of Your personal information to another party.
If You want to review, verify, correct or request erasure of Your personal information, object to the processing of Your personal data, or request that we transfer a copy of Your personal information to another party, please contact the manager in writing. No fee shall be required to access Your personal information or to exercise any of the above rights.
We will respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month in the case of requests for access to information. We will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, we may ask you to reconsider your request.
We may need to request specific information from You to help us confirm your identity and ensure Your right to access the information (or to exercise any of Your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
13. RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION
In the limited circumstances where You may have provided Your consent to the collection, processing and transfer of Your personal information for a specific purpose, You have the right to withdraw Your consent for that specific processing at any time. To withdraw Your consent, please contact email@example.com . Once we have received notification that You have withdrawn Your consent, we will no longer process Your information for the purpose or purposes You originally agreed to, unless we have another legitimate basis for doing so in law.
14. RIGHT TO WITHDRAW CONSENT
In the UK, only children aged 13 or over are able to provide their own consent. Children have the same rights as adults over their personal data. These include the right to access their personal data, request rectification, object to process and have their personal data erased.
The rights under Data Protection legislation belong to the individual to whom the data relates. However, we will often rely on parental consent to process personal data relating to pupils (if consent is required) unless, given the nature of the processing in question, and the pupil's age and understanding, it is more appropriate to rely on the pupil's consent.
Parents should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents’ rights at law or under their contract, and all the circumstances.
In general, we will assume that pupils’ consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the pupil's activities, progress and behaviour, and in the interests of the pupil's welfare, unless, in the school's opinion, there is a good reason to do otherwise.
However, where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, we may be under an obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise; for example, where the school believes disclosure will be in the best interests of the pupil or other pupils, or is required by law.
Pupils can make subject access requests for their own personal data, provided that they have sufficient maturity to understand the request they are making. A person with parental responsibility will generally be entitled to make a subject access request on behalf of pupils, but the information in question is always considered to be the child’s at law. A pupil of any age may ask a parent or other representative to make a subject access request on their behalf. Moreover (if of sufficient maturity) their consent or authority may need to be sought by the parent making such a request.
15. PUPIL & CHILDREN DATA
We reserve the right to update this privacy notice at any time, and we will provide You with a new privacy notice when we make any substantial updates. We may also notify You in other ways from time to time about the processing of your personal information.
Our privacy notice should be read in conjunction with our other policies and Terms and Conditions which make reference to personal data, including our Safeguarding Policy and our Code of Conduct.
16. CHANGES TO THIS PRIVACY NOTICE
If you believe that we have not complied with this policy or have acted otherwise than in accordance with Data Protection Law, you should notify the Data Protection Officer: firstname.lastname@example.org
You can also complain to the Information Commissioner’s Office in one of the following ways:
- Report a concern online at https://ico.org.uk/concerns/
- Call 0303 123 1113
- Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF