Data Protection and Privacy Statement
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 give you the right to be informed about how we process your personal information. The information below supports this right.
Stockton Riverside College is the data controller for purposed of data protection. We are committed to protecting the personal information of all our staff, students, parents, visitors, employers and partners. The College recognises its obligations to keep personal information secure and believes it is important for you to know how we treat personal information.
Who is Stockton Riverside College?
The Stockton Riverside College is a group of education institutions, representing Stockton Riverside College, SRC Bede Sixth Form, Redcar and Cleveland College, NETA Training Group, Tees Valley Catering and Skills Academy.
We are happy to receive feedback to make this statement more user-friendly. Please contact us.
Data Protection Officer
Stockton Riverside College
Stockton Riverside College Group processes personal information about its staff, students, visitors and wider community under a lawful basis, as defined in the UK Data Protection Act 2018 and GDPR.
In all our operations as a Further Education College Group, we use the ‘legitimate interest’ lawful basis for processing in relation to delivering our services and meeting the high expectations of our staff, students and visitors.
Sometimes, there will be situations where a staff member, student, or visitor may wish to engage with additional services or opportunities. For processing personal information in this way, we seek direct consent. This may be consent from the individual or consent from a parent or carer (depending on the individual’s ability to understand how giving consent might affect them).
We will always use ‘opted in’ Consent to send you targeted marketing information. We will ensure that our marketing practices comply with the Privacy and Electronic Communications Regulation (PECR).
Some of our work with third parties (commercial or otherwise) requires us to create data sharing relationships. Whether either party is acting in a Controller or Processor role, we will always use a Contract as a basis for sharing personal data and will apply data sharing compliance through a Data Sharing Agreement.
Some information will be processed under a Legal Obligation and this usualy relates to financial information, governance and corporate functions. In reference to students, we are under a legal obligation to share personal information with Local Authorities (Section 72 of the Education and Skills Act 2008).
Such information includes:
(a) the name, address and date of birth of the pupil or student;
(b) the name and address of a parent of the pupil or student;
(c) information in the institution’s possession about the pupil or student.
Where a student has not reached the age of 16, their own and their parents’ information will not be shared.
We may be relied upon to provide personal information to the Emergency Services or other agencies in order for them to save a life or where an imminent or potential threat to life exists. We will disclose information to these agencies under these circumstances.
Stockton Riverside College may collect your personal information. .
The methods we use (electronic form, application form, enrolment form, etc) will inform users at the point of data collection that they are submitting personal information to the College. When personal information is collected (in Enquiry Forms or Application Forms, etc), the College will provide the reason for collecting the information and how the information will be used.
Where all such data collection takes place online, a secure, encrypted connection is presented to users to protect the data they are submitting. Furthermore, once that data has been safely collected by the system, only authorised personnel will have access to that data, offering additional security.
We may also collect personal information, submitted voluntarily, about users from their use of our social media pages. Users should note that information submitted to social media pages is not, in the first instance, collected by us, or held on our servers, but by the third party service provider such as Facebook, Twitter, etc. However, once we have collected such personal information from the external service provider, only appropriately authorised personnel will have access to this information.
We may share personal information with third party organisations (data processors) that we have engaged to provide services to us, or with whom we have a legal duty to share information, such as funding bodies, examination boards, local authorities, etc. Such organisations are bound by the same regulations as us to use personal information only for the performance of a legal or authorised purpose.
We do not collect or use personal data for any purpose other than that indicated here. If we wish to use your personal data for new purposes, we will ask for your permission directly first.
Under the ‘legitimate interest’ lawful purpose for processing personal data we will sometimes share the personal information of employees, students, visitors, etc with third parties.
We share information in two ways:
- One off sharing
- Systematic sharing
One off sharing is where we share information with a third parties once a year or rarely (ad hoc).
Systematic sharing is when we share information on a regular or ongoing basis.
In all cases, we will use the most relevant method for sharing personal information and will ensure that a Data Sharing Agreement is in place in the form of a contract, agreement or other formal arrangement.
We share personal information with a range of third parties. The categories of which are as follows:
- Local authorities (and their associated services)
- Schools (to support transitions)
- Employment agencies (to facilitate non-salaried staff)
- Employers (and potential employers, re: references, etc)
- The Police (prevention & detection of crime, investigations)
- DBS and background check agencies (for safeguarding)
- Exam boards (certification, results, access arrangements)
- Other agencies where the sharing is in the best interests of the data subject.
Parents / carers (for students under 19)
We will share information with parents of students under 19 in the following circumstances:
- If the student is absent (we will contact the emergency contact person to ensure that the absent student has not come to, or is not at risk of, harm). We process this information under a legal duty to safeguard our students.
- In the form of standard progress reports.
- In relation to a disciplinary procedure.
We may be required to share personal information before, during or after your relationship with us is established (employee, student, visitor, etc).
We want to protect your personal data, but we do not wish to hinder your chances of establishing or moving on with your career or life goals. If we have shared your personal information in a way that you do not like, please let us know and we will do our best to fix the issue.
Security of Collected Information
We maintain strict physical, electronic and administrative safeguards to protect users’ personal information from unauthorised or inappropriate access. Employees, business partners and affiliates who misuse a user’s personal information are subject to disciplinary actions.
Our campuses and buildings utilise fixed-camera Closed Circuit Television systems. These are in place for the safety and security of our staff, students, visitors and property.
We store images on our CCTV systems for 16 days. We may be required to securely store captured images for longer to support investigations.
Some of our staff are authorised to use portable, College-owned devices as an extention of our fixed CCTV cameras in order to safeguard persons and property. These images are captured in line with current regulations, our CCTV policy and was introduced subsequent to guidance from the UK data protection regulator, the Information Commissioner’s Office (ICO).
Where Access Barriers are used across our sites, it is for the purpose of safeguarding the students, staff and visitors on our campuses.
We do not use the barriers for general or targeted surveillance of individuals. However, we may use the data to help support the emergency services during emergency situations (ie, where a person may be unaccounted for in the building).
We always give our website visitors a secure connection to allow them to submit personal data to us via our online forms.
Additionally, visitors will always be given access to a secure website such as WorldPay in order to submit financial data for reasons of paying for services. We do not retain your credit / debit card numbers in these instances; you are sharing this financial data directly with WorldPay, etc.
We have implemented industry standard security codes of practice, rules and technical measures to protect the personal data that we have under our control to prevent:
- unauthorised access
- improper use or disclosure
- unauthorised modification
- unlawful destruction or accidental loss
All our employees and data processors (others with whom we share personal information [exam boards, employers, local authority, care agencies, financial support agencies, etc] are required to respect the confidentiality of your personal data under the strict regulation of the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We have Data Sharing Agreements in place with appropriate third-parties.
We ensure that your personal data will not be disclosed to third-party institutions and authorities except if required by law or statutory regulation.
Cookies on stockton.ac.uk
Our website, like millions of others on the World Wide Web, uses small files called ‘cookies’ to help us to give you a better experience.
What are ‘cookies’?
‘Cookies’ are small text files that are stored by the browser (e.g. Internet Explorer or Safari) on your computer or mobile phone. They allow websites to store such things as user preferences. You can think of cookies as providing a “memory” for the website, enabling it to recognise a user and respond appropriately. However this cookie does not let us know your name, address, age or any other information that can identify you as a person.
Scroll to the bottom of any of our web pages and you will see a link to get more informstion about the cookies we use and how to easily manage your cookie preferences, including turning cookies off.
Site performance cookies
This type of cookie remembers your preferences for tools found on our website, so you don’t have to re-set them each time you visit. An example is remembering the information you put into our forms.
Anonymous analytics cookies
Each time a user visits our website, web analytics software provided by a third party generates a set of anonymous analytics cookies. Again, no personally identifiable information is shared:
- These cookies can tell us whether or not you have visited the site before.
- Your browser will tell us if you have these cookies. If you don’t, we generate new ones.
- This allows us to track how many unique users we have, and how often they visit the site.
- Other third party cookies
On some of our pages, third party controls may also set their own anonymous cookies, for the purposes of tracking the success of their application, or customising the application for you. Because of the way cookies work, we cannot access these cookies, nor can the third parties access the data in cookies used by our website.
You have the right to be informed about how we use your personal information, with whom we share it and how you can exercise your rights.
You have the right to access the personal information we hold about you.
Access to the personal data we may hold about you.
You can submit a query to us regarding personal data by completing a Data Subject Access Request form, available by clicking this link;
The form is offered for your convenience; we will still process your Subject Access Request if you send us your request in another written format (own letter, email, etc). It is not essential to use the form, but it does offer guidance in terms of the detail we need to help you gain access to the information you require in a timely and efficient manner. It also gives you a secure means to submit proof of identity and proof of representation documents to us (see below).
Please submit completed SARs to the Data Protection Officer, along with:
- Proof of identity (a current Passport or Driving License)
- Proof of Authorisation (if making a request on behalf of another person)
If a third party is acting on your behalf, we will need proof that you have given them permission to act for you, your proof of ID and the representative’s proof of ID.
We will then provide you with your personal data without undue delay, or within one month of ID validation. We allow you to challenge the data that we hold about you and, where appropriate, you may have the data:
- erased (where not exempt)
- rectified or amended
If we have any of your informaiton wrong, you have the right to instruct us to rectify that information.
You have the right to have your personal information erased from our system or any system with which we share your personal information. Simply let us know and we’ll remove it.
However, this right relates to any informaiton that you have given us. Information that we have created as part of your relationship with us, does not have t be deleted, although you still have the right to access this information. In addition, we will not delete any information which we are required to retain for legitimate purposes, or where an event such as a legal investigation woud override your request.
You have the right to have your personal information ‘ported’, or transferred anywhere you like (an employer, another college, etc). Again, this only applies to personal information you have given us directly.
All the usual ID checks will also apply before we process a request.
You have the right to object to any automated personal data processing that we may do.
This iusually means by any automated means, such as profiling, but you can also object to your personal data being used for marketing purposes.
We don’t use your personal information for marketing purposes unless you have agreed to this at the initial point of us collecting your data.
The College may not be required to process any request if it falls within one of the following categories:
- (a) national security;
- (b) defence;
- (c) public security;
- (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
- (e) other important objectives of general public interest of the EU or the UK, in particular an important economic or financial interest of the EU or UK, including monetary, budgetary and taxation matters, public health and social security;
- (f) the protection of judicial independence and judicial proceedings;
- (g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
- (h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
- (i) the protection of the data subject or the rights and freedoms of others;
- (j) the enforcement of civil law claims.
Data Protection Officer
Stockton Riverside College,
If, subsequent to our response, you are not satisfied, you may wish to write to the Information Commissioner’s Office, or, subsequently, take other action.