The City of London School is part of the City of London Corporation (CoL), and it is the CoL that is registered with the Information Commissioner’s Office as the Data Controller (registration number Z5996206). The Data Protection Officer is the Comptroller & City Solicitor for the CoL, and can be contacted at email@example.com. The Data Protection contact at the City of London School is Susy Ralph (firstname.lastname@example.org)
In order to carry out its ordinary duties to staff, pupils and parents, the School collects and processes personal data about individuals (including current, past and prospective staff, pupils or parents) as part of its daily operation. The information in this Privacy Notice is provided in accordance with the rights of individuals under Data Protection Law to understand how their data is used.
Some of this activity the school will need to carry out in order to fulfil its legal rights, duties or obligations, including those under a contract with its staff, or parents of its pupils.
Other uses of personal data will be made in accordance with the school’s legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impact on individuals, and provided it does not involve special or sensitive types of data. The school may also collect, process and store in the short term data pertaining to job applicants and contractors. The legal basis for processing and storing this information is legitimate business interest.
This Privacy Notice also applies in addition to the school's other relevant terms and conditions and policies, including:-
- any contract between the school and its staff or the parents of pupils;
- the school’s CCTV policy;
- the school’s retention of records policy;
- the school's safeguarding, pastoral, or health and safety policies, including as to how concerns or incidents are recorded; and
- the school's IT policies, including its Acceptable Use policy, Digital Safety policy, WiFi policy and Data retention policy.
Types of personal data collected and held by CLS and method of collection
When you request information from the School, we will require some personal information about you - including your name, address, email address and telephone number. This information allows the School to fulfil your request and keep you informed. This may be provided by you or 3rd parties electronically or on paper. Where payments are made to the School, details of payment card numbers and expiry dates will go through a secure server operated by the School's Payment Service Provider.
If you are a parent, some of the personal information held about you will include:-
- Your name, title, gender, nationality and date of birth.
- Your home address, email address and telephone numbers;
- Your bank account number, name and sort code (used for processing Direct Debits);
If you are a student, former student or prospective student, some of the personal information held about you will include:-
- Your name, title, gender, nationality and date of birth;
- Your home address, email address and telephone numbers;
- Start date, previous academic record, references, relevant medical information, attendance data, disciplinary records, learning support information, examination scripts and marks.
- Images including the image stored on the school’s Management of Information system, images of you engaging in school activities and images captured by the school’s CCTV system.
If you are a member of the alumni body, some of the personal information held about you will include:-
- Your name, title, gender, nationality and date of birth.
- Your home address, email address and telephone numbers;
- Your employment status (e.g. part-time, full-time, retired);
- Academic records and dates of your time at CLS.
- Your current job title and work email address;
- Your previous role(s) and job title;
- Your links with the school.
Why the School needs to process personal data:-
The school expects that the following uses may fall within that category of its (or its community’s) “legitimate interests”:
- For the purposes of pupil selection (and to confirm the identity of prospective pupils and their parents);
- To provide education services, including musical education, physical training or spiritual development, career services, and extra-curricular activities to pupils, and monitoring pupils' progress and educational needs;
- Maintaining relationships with alumni and the school community, including direct marketing or fundraising activity;
- For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as diversity or gender pay gap analysis and taxation records);
- To enable relevant authorities to monitor the school's performance and to intervene or assist with incidents as appropriate;
- To give and receive information and references about past, current and prospective pupils, including relating to outstanding fees or payment history, to/from any educational institution that the pupil attended or where it is proposed they attend; and to provide references to potential employers of past pupils;
- To enable pupils to take part in national or other assessments, and to publish the results of public examinations or other achievements of pupils of the school;
- To safeguard pupils' welfare and provide appropriate pastoral care;
- To monitor (as appropriate) use of the school's IT and communications systems in accordance with the school's IT acceptable use policy;
- To make use of photographic images of pupils in school publications, on the school website and (where appropriate) on the school's social media channels. Where images are shared with third parties, for example, the media, for promotional and congratulatory purposes, the pupil’s full name will not appear with the photograph unless the permission of the pupil or parent (depending on the age of the pupil) has been sought. Pupils, parents and guardians should be aware that where photographs or other image recordings are taken by family members or friends for personal use, data protection legislation will not apply e.g. where a parent takes a photograph of their child and some friends taking part in the School sports day.
- For security purposes, including CCTV in accordance with the school’s CCTV policy; and
- Where otherwise reasonably necessary for the school's purposes, including to obtain appropriate professional advice and insurance for the school.
In addition, the school may need to process special category personal data ( for example, to support student welfare) or criminal records information (such as when carrying out DBS checks) in accordance with rights or duties imposed on it by law, including as regards safeguarding and employment, or from time to time by explicit consent where required. These reasons may include:
- To safeguard pupils' welfare and provide appropriate pastoral (and where necessary, medical) care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual's medical condition where it is in the individual's interests to do so: for example for medical advice, social services, insurance purposes or to organisers of school trips;
- To provide educational services in the context of any special educational needs of a pupil;
- For legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with its legal obligations and duties of care.
How personal data is processed by CLS and who has access to your personal data
Access to personal data is restricted to those members of staff who have a requirement to maintain a relationship with you and is controlled through password protection and user security profiles. All CLS staff that are given access to personal data receive mandatory Data Protection training and have a duty to maintain confidentiality under GDPR. Access to special category data is restricted to key personnel and staff with such access receive a higher level of training. For example:-
- medical records are held and accessed only by the school nurse
- safeguarding files are restricted to the Head and the Head’s EA, the DSL and deputy DSLs and the DSL’s administrative assistant
- pastoral files are restricted to the Heads of Year and Deputy Head Pastoral. However, information regarding pastoral concerns and safeguarding and child protection concerns may be shared confidentially with other members of staff on a ‘need to know’ basis.
- Learning support information, which may include special category data, is shared in part with staff in the context of providing the necessary care and education that the pupil requires.
However, information regarding pastoral concerns and safeguarding and child protection concerns may be shared confidentially with other members of staff on a ‘need to know’ basis.
Learning support information, which may include special category data, is shared in part with staff in the context of providing the necessary care and education that the pupil requires.
Personal data is processed by CLS to:-
- Keep you informed of your progress (students) or to keep you informed about your son’s progress (parents).
- Promote events;
- Send news and updates;
- Recruit alumni volunteers and mentors;
- Provide community news.
With whom does CLS share data?
Personal data is never sold to third parties. Data is shared with the Friends of CLS as a contractual necessity and for legitimate interest purposes. In many circumstances, we will not disclose personal data without consent. However, there may be occasions, such as pupils changing schools, when we will need to share personal information with the organisation concerned and with other relevant bodies. Occasionally the school will need to share personal information relating to its community with 3rd parties, such as professional advisers (lawyers and accountants) or relevant authorities (HMRC, police or the Corporation of London, the local authority)
Information about employees may also be disclosed where required by law, or in connection with legal proceedings, or for the prevention/detection of crime, or assessment/collection of tax.
The school is required to disclose some personal data to the Department of Education, for example, students continuing with sixth form studies data.
If you have registered to attend an event organised by the school or the Friends of CLS, the school may share a list of attendee names with participants.
CLS may share personal data with third party organisations which carry out contracts on behalf of the school (such as a venue hosting a school event). CLS will only share personal data that is relevant and proportionate. All data processing activities are logged and reviewed from time to time. Should a safeguarding issue arise, personal data may be shared after consultation with the Designated Safeguarding Lead.
Finally, in accordance with Data Protection Law, some of the school’s processing activity is carried out on its behalf by third parties, such as IT systems, web developers or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the school’s specific directions. In 2018, third party contractors will be contacted to ensure compliance with GDPR, ahead of May 2018.
How personal data is stored by CLS
Personal data is stored electronically in the school’s MIS, IT Systems and, in some instances, in paper record. Paper record special category data and higher category sensitive information is kept under lock and key.
How long personal data is held by CLS
CLS has a data retention policy. Please note that this is subject to periodical revision and the current moratorium – applicable to all schools - on the destruction of files (International Inquiry into Child Sexual Abuse) means data is being retained that would otherwise have been destroyed. If you have any specific queries or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact email@example.com.
Individuals have various rights under Data Protection Law to access and understand personal data about them held by the school, and in some cases ask for it to be erased or amended or for the school to stop processing it, but subject to certain exemptions and limitations.
Any individual wishing to access or amend their personal data, or wishing it to be transferred to another person or organisation, should email their request to firstname.lastname@example.org.
The school will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month (from May 2018) in the case of Subject Access Requests. The school will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, the school may ask you to reconsider or charge a proportionate fee, but only where Data Protection Law allows it.
You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal professional privilege. The school is also not required to disclose any pupil examination scripts (though examiners' comments may fall to be disclosed), nor any confidential reference given by the school for the purposes of the education, training or employment of any individual.
Pupils aged 13 or over have the same rights as adults over their personal data and may submit their own Subject Access Requests. A subject access request from a student under the age of 13 may be considered if, in the opinion of the school, the student is of sufficient maturity. More usually, a person with parental responsibility will generally be expected to make a subject access request on behalf of younger pupils. However, the information in question is always considered to be the child’s at law. A pupil of any age may ask a parent or other representative to make a subject access request on his/her behalf, and moreover (if of sufficient age) their consent or authority may need to be sought by the parent. All subject access requests from pupils will therefore be considered on a case by case basis.
Where the school is relying on consent as a means to process personal data, any person may withdraw this consent at any time (subject to similar age considerations as above). Please be aware however that the school may have another lawful reason to process the personal data in question even without your consent.
That reason will usually have been asserted under this Privacy Notice or may otherwise exist under some form of contract or agreement with the individual (e.g. an employment or parent contract, or because a purchase of goods, services or membership of an organisation has been requested).
The rights under Data Protection Law belong to the individual to whom the data relates. However, the school will often rely on parental consent to process personal data relating to pupils (if consent is required) unless, given the nature of the processing in question, and the pupil's age and understanding, it is more appropriate to rely on the pupil's consent.
Parents should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents’ rights at law or under their contract, and all the circumstances.
In general, the school will assume that pupils’ consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the pupil's activities, progress and behaviour, and in the interests of the pupil's welfare, unless, in the school's opinion, there is a good reason to do otherwise.
However, where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, the school may be under an obligation to maintain confidentiality unless, in the school's opinion, there is a good reason to do otherwise; for example where the school believes disclosure will be in the best interests of the pupil or other pupils, or if required by law.
Pupils are required to respect the personal data and privacy of others, and to comply with the school's Acceptable Use Policy and the school rules. [Staff are under professional duties to do the same covered under the relevant staff policy.]
Data Accuracy and Security
The school will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must please notify the school of any changes to information held about them (please emai email@example.com.
An individual has the right to request that any inaccurate or out-of-date information about them is erased or corrected (subject to certain exemptions and limitations under Act) - please see above.
The school will take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to school systems. All staff and governors will be made aware of this policy and their duties under Data Protection Law and receive relevant training.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Queries and Complaints
Any comments or queries on this policy should be directed to the school at firstname.lastname@example.org.
If an individual believes that the school has not complied with this policy or acted otherwise than in accordance with Data Protection Law, they should utilise the school’s complaints procedure and should also notify the school by email email@example.com. You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO.org.uk), although the ICO recommends that steps are taken to resolve the matter with the school before involving the regulator.
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 16 May 2018.
CLS Social Media Policy
Acceptable use policy
City of London School (CLS) and indeed the City of London Corporation has a number of social media outlets, on which we invite the public to follow us. Most online communities have their own rules and guidelines, which we will always follow. We reserve the right to remove any contributions that break the rules or guidelines of the relevant community, or any of the following:
- Be civil, tasteful and relevant.
- Do not post messages that are unlawful, libellous, harassing, defamatory, abusive, threatening, harmful, obscene, profane, sexually oriented or racially offensive.
- Do not swear.
- Do not post content copied from elsewhere, for which you do not own the copyright.
- Do not post the same message, or very similar messages, more than once (also called "spamming").
- Do not publicise your, or anyone else's, personal information, such as contact details.
- Do not advertise products or services.
- Do not impersonate someone else.
Please take care not to make defamatory statements. In law this means a statement that lowers the reputation of a person or organisation in the eyes of a reasonable person. By publishing such a statement we can both get into serious trouble. We will therefore take down any statement that could be deemed to be defamatory.
CLS and the City of London Corporation must be politically neutral in its communications. Therefore, please do not use any of our pages to promote party political messages or other content. We will remove any comments that, in its view, may compromise its obligation to maintain political neutrality.
Our approach to connections on social media
The School and City of London Corporation may choose to 'follow', 'like' or otherwise establish connections with other organisations and individuals using social media. This is so that we can maintain contact with what other social media users are saying and, where appropriate, share their content. Sometimes we also need to establish a connection so that we can engage with users, eg via direct messages or posting. This is an emerging area of communications and as such we will review and amend its practice continuously.
Niether the School nor the City of London Corporation implicitly or explicitly endorse any individual or organisation merely by virtue of creating a social media connection, regardless of the terms used by social media providers such as 'follow' or 'like'. Indeed, we will maintain social media connections with organisations that are critical of it and/or have opposing views. Nor do we hold any responsibility for the content of such profiles.
Once connected, the City Corporation will not remove a profile from its network unless there is some over-riding reason to do so, eg because it poses a significant and material risk to our reputation and credibility, or a significant and material breach of our obligations to maintain political neutrality. It is not possible to be prescriptive on what would pose such a threat and each case will need to be consider on its own merits.
Contacting us via social media
Our responses to replies, comments and direct messages depend on the individual service. Even if we do not reply, we are listening and will act on or pass on your comments as appropriate. Our social media accounts are not currently monitored twenty-four hours a day, seven days a week. It is also easy to miss posts in busy social media traffic. If your query is serious, urgent, or involves personal details, you may also like to contact the School directly. Please note that unless stated otherwise the views/comments given on any of our social media sites may not necessarily reflect the views of the School or City of London Corporation. Our social media platforms are not intended to be used by the media or politicians to contact us
We adhere to the Data Protection Act 1998
City of London School uses all reasonable endeavours to comply with the Data Protection Act 1998 and the following principles:
- Personal data should be processed fairly and lawfully This means that individuals should not be deceived or misled into supplying information.
- Data should only be obtained for a specified purpose and should not be used for any other purpose.
- Personal data should be adequate relevant and not excessive in relation to its purpose.
- Personal data should be accurate and up to date where necessary.
- Personal data should not be kept longer than is needed for its intended purpose.
- Personal data should be processed in accordance with the rights of the individual which the information concerns.
- Appropriate measures should be taken against unlawful processing or destruction of records. Computer systems should have back up facilities and security provisions.
- Personal data should not be transferred outside the European Economic Area (the EU states plus Lichtenstein, Iceland and Norway). See the City of London's " Access to Information Page" which provides Users with guidance about their rights of access to information under the Freedom of Information Act 2000 and Data Protection Act 1998.
For more information on the Data Protection Act 1998 , you can call (UK) 01625 545 700.
A cookie is a small file which stores information that a website puts on your hard disk so that it can remember something about you at a later time.
Typically, a cookie records your preferences when using a particular site.
View the City of London Corporation's guide to cookies here.
City of London Corporation Legal Statement
The School is part of the City of London Corporation.
The City of London Corporation Privacy Statement for its website, www.cityoflondon.gov.uk and Legal Notices are as follows and should be applied, where appropriate and in similar capacity to the City of London School and its website, www.cityoflondonschool.org.uk:
The City of London Corporation Legal Statement can be downloaded here.