We understand that privacy and the security of your personal information is extremely important. This policy sets out what we do with your information and what we do to keep it secure. It also explains where and how we collect your personal information, as well as your rights over the personal information we hold about you.
This policy relates to The Bedford College Group (registered Bedford College) and includes the brands Bedford College, National College for Motorsport, Shuttleworth College, The Bedford Sixth Form and Tresham College. It also includes any other brands we add to this group in the future.
This policy applies to students, prospective students and employees, and visitors who attend one of our campuses, visit our website and social media pages or contact the College by other means.
1. What sort of information do we collect?
a) We collect the following personal data under GDPR Article 6c (Legal Obligation), and 6e (Public Task) in order to meet our legal obligations with the Education & Skills Funding Agency (ESFA) and Office for Students (OfS). They are also necessary in order for us to carry out our public task to provide education and training. We are required by ESFA to retain this data until at least 2030:
- Details about yourself including your name, date of birth, unique learner number, national insurance number and gender
- Contact details – including address, telephone number and email address
- Details of your previous qualifications, employment and educational history
- Information about your nationality and residency, and previous address if applicable
- Information about medical or health conditions, including whether or not you have a learning disability or difficulty, ethnicity
- Household information (this is collected only for the ESFA and is not used by the College)
- Free school meals eligibility
- Attendance marks such as sessions attended, number of absences and absence reasons
- Information to monitor and report on student discipline and progress and support your learning
- Your destination after College.
- Your postcode for the provision of mapping geographical demographic information.
b) We collect data about criminal convictions in order to protect vital interests of others under GDPR Article 6d (Vital Interest) and also in order to carry out our duty to support those with a conviction GDPR Article 6e (Public Task).
c) We collect your sexual orientation and religion under GDPR Article 6f (Legitimate Interests) so that we can ensure that you are not discriminated against in any way.
d) We collect parent/carer/emergency contacts under GDPR Article 6d (Vital Interests) and Article 6e (Public Task) in order to support your education and learning as fully as possible. For those over age 18 at the start of the academic year, the information is optional.
e) We collect your bank details if you need to pay for your course or you are in receipt of a bursary under GDPR Article 6b (Contracts).
f) If you pay for a course online, your card information is not held by us. It is collected by our third party payment processors who specialise in the secure online capture and processing of credit/debit card transactions.
g) We collect the name of your last school under GDPR Article 6f (Legitimate Interests) so that we can monitor progression from our feeder schools.
h) We collect your consent to keep in touch with you about our products and services, future events and College news, and to take photography and record audio and video content to showcase the College to prospective students and the community (GDPR Article 7 Consent).
Examples of how we may use your information:
Promotional materials such as course guides, prospectuses, newsletters, presentations, displays, posters or printed publications that we produce and use both internally and externally;
The College/company’s digital channels including websites and social media, e.g. Twitter, Facebook ect.
Press releases/ news stories to be sent to media outlets including print, broadcast and online media (please note that media outlets may also publish the information on their associated websites and on their social media channels);
Supplied to relevant third parties (i.e. external organisations and stakeholders), strictly in relation to the promotion of the college/ company;
For curriculum-based purposes (i.e. displays, presentations, assessments and external verification) GDPR
i) We take your photograph to display on your College ID card under GDPR Article 6f (Legitimate Interests) to ensure the safety of all our students and provide you access to our facilities.
j) We may capture your image on our CCTV systems under GDPR Article 6f (Legitimate Interests) to ensure the safety of our students, staff and visitors, and the protection of our buildings and assets (see our CCTV Policy).
k) We monitor your internet browsing under GDPR Article 6f (Legitimate Interests) to ensure the safety of our students.
l) We collect details such as free meals entitlement and a range of household income values for the purpose of assessing entitlement to higher education bursary – Article 6f (Legitimate Interest).
Please refer to our policy on Processing Special Category data, GDPR Article 9 and Criminal Convictions data, GDPR Article 10.
We collect and process your personal data to:
- Meet our statutory obligations as an FE College
- Deal with and respond to any enquiries you have made with us about our products and services
- Process application or enrolment forms you’ve submitted for a course, study programme or apprenticeship programme
- Effectively manage your learning, including monitoring and reporting on your progress, providing pastoral care, registering with awarding bodies, and administering learning loans
- Deal with and respond to any events you have booked on to or competitions you’ve entered into
- Seek your views, comments and feedback on our products and services, and notify you of changes
- Send you communication which you have requested and that may be of interest on our products, services, news and events
- Personalise your visits to our websites, including remarketing activities
- Conduct market research, either ourselves or through reputable agencies
- For statistical analysis
- Ensure the safety of our students, staff and visitors, and the protection of our buildings and assets
- Process application forms you’ve submitted for a job vacancy.
We are committed to being transparent about what we collect, how we use your data and meeting our data protection obligations. The Bedford College Group needs to collect and process data so we can provide you with the highest standards of service we are able to give, and to meet its legal obligations from government organisations such as the DfE and OfS. Data regarding employment status and benefits is required to assess your eligibility for fee discounts, support or access to student bursaries.
Where the organisation processes other special categories of personal data, such as information about age, gender, ethnic origin, disability or health, this is done for the purposes of equal opportunities monitoring and monitor our service provision to improve our services to specific groups. We also use the data so we can personalise the provision to each student to provide them with the best possible opportunities to succeed.
Most of the information above is collected directly from you via online forms on our websites, application forms, enrolment forms or in person over the telephone or face-to-face. However some information such as previous qualifications, or special needs, may be collected from other organisations such as the DfE, the Local Education Authority, or your previous school.
If you do not provide the data required to meet legal obligations, we will not be able to enrol you as a student. If you do not provide the other information we request, for example whether you have a learning difficulty or disability, it may result in us being unable to provide the high standard of service we would wish to deliver.
Your personal information is stored securely in a range of different places, including student information and recruitment management systems, on electronic documents within a secure network and on paper, stored in secure places and with restricted access by only those authorised.
Your information may be shared internally, including with any staff from The Bedford College Group who need the data to provide services to students. This will include special categories of data where appropriate.
The College will only share your data with third parties where there is a legal obligation to do so, including ESFA, OfS, Learner Records Service (LRS), examination bodies, Student Loans Company (SLC) and local authorities.
From time to time, we engage non-statutory third parties to process personal data on our behalf, for example to follow up course applications during busy periods or undertake research. Where this happens, we require these parties to do so on the basis of written instructions, under a duty of confidentiality and an obligation to implement appropriate technical and organisational measures to ensure the security of data, and never to use it for their own direct marketing purposes. We will only disclose personal information that is necessary to carry out the task or provide the service to you on our behalf.
6.1 ESFA Data Sharing Agreement
This privacy notice is issued by the Education and Skills Funding Agency (ESFA), on behalf of the Secretary of State for the Department of Education (DfE). It is to inform students how their personal information will be used by the DfE, the ESFA (an executive agency of the DfE) and any successor bodies to these organisations. For the purposes of relevant data protection legislation, the DfE is the data controller for personal data processed by the ESFA.
Your personal information is used by the DfE to exercise its functions and to meet its statutory responsibilities, including under the Apprenticeships, Skills, Children & Learning Act 2009 and to create and maintain a unique learner number (ULN) and a personal learning record (PLR). Your information will be securely destroyed after it is no longer required for these purposes.
Your information may be shared with third parties for education, training, employment and well-being related purposes, including for research. This will only take place where the law allows it and the sharing is in compliance with data protection legislation.
The English European Social Fund (ESF) Managing Authority (or agents acting on its behalf) may contact you in order for them to carry out research and evaluation to inform the effectiveness of training.
Further information about use of and access to your personal data, and details of organisations with whom we regularly share data, are available at: information about how long we retain your data, and how to change your consent to being contacted, please visit: https://www.gov.uk/government/publications/esfa-privacy-notice
6.2 LRS Data Sharing Agreement
The information you supply will be used by the Skills Funding Agency, an executive agency of the Department for Education (DfE), to issue you with a Unique Learner Number (ULN), and to create your Personal Learning Record. For more information about how your information is processed and shared refer to the Extended Privacy Notice available on gov.uk
Where Bedford College engages non-statutory third parties to process personal data on its behalf, we require them to do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
The organisation takes the security of your personal information very seriously. We have policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Our Data Protection Policy is available to view on our website at www.bedford.ac.uk/downloads.
We review our retention periods for personal information on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations, for example all personal data collected and processed on behalf of the ESFA or OfS is held for as long as we are legally required to do so, currently until at least 2030. Other data will be held as long as is necessary to fulfil our duty as a college and/or to undertake relevant activity. See our Retention Policy at bedford.ac.uk/downloads for more details.
From time to time, we would like to tell you about our products and services, events and College news we think you might be interested in. We will do this by post and, where you have consented to us doing so, we may also do this by email, text message or telephone. We will not send you marketing messages if you tell us not to.
As a student, and where you have consented to us doing so, we may also take photographs, audio and video of your time here to showcase the College to prospective students and the community.
You can change your marketing preferences at any time by contacting us as set out below.
Our websites contain links to other websites. This Privacy Statement only applies to this website so when you link to other websites you should read their own privacy statements.
When using one of our websites, you may be able to share information through social networks like Facebook and Twitter. For example when you ‘like’ or ‘share’ a new story. When doing this your personal information may be visible to the providers of those social networks, their other users and/or The Bedford College Group. Please remember it is your responsibility to set appropriate privacy settings on your social network accounts so you are comfortable with how your information is used and shared on them.
You can engage with us on social media through one of our official social media pages. To participate in these you will need to like our page and can opt-out at any time.
Under the GDPR data subjects have several rights subject to certain exemptions:
- The right to be informed: You have the right to be informed. We will inform you of the reason for processing your data, when we first contact you.
- The right of access: You have the right to access the personal information that we hold about you in many circumstances. This is sometimes called a ‘Subject Access Request’. View the ‘Subject Access Request’ form here.
- The right to rectification: If any of the personal information we hold about you is inaccurate or out of date, you may ask us to correct it.
- The right to object: You have the right to object to the processing of your personal data where we are relying on a Legitimate Interest and there is something about your particular situation, which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. Please refer to section 1, for the lawful basis under which we process your data and section 8, for how long we retain your information.
- The Right to Erasure: This enables you to ask the organisation to delete or stop processing your data, for example where the data is no longer necessary for the stated purposes of processing and where the organisation is relying on consent or its legitimate interests as the legal ground for processing. Note, however, that we may not always be able to comply with your erasure request for specific legal reasons. Please refer to section 1, for the lawful basis under which we process your data and section 8, for how long we retain your information. View the ‘Request to Erasure’ form here.
- The Right to restrict processing: This enables you to ask us to suspend the processing of your personal data in the following scenarios: (i) if our use of the data is unlawful but you do not want us to erase it, (ii) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it, (iii) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims or (iv) or (iv) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. Please refer to section 1, for the lawful basis under which we process your data.
- The Right to Data Portability (request to transfer): We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right may only apply to automated information which you initially provided consent for the organisation to use or where the organisation used the information to perform a contract with you.
- The Right to withdraw consent: Consent can be withdrawn at any time, where the organisation is relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you would like to exercise any of these rights, please contact us as set out below.
Please note: We will need to verify your identity before we can fulfil any of your rights under data protection law. This helps us to protect your personal information against fraudulent requests.
For more information on your rights, please refer to the website of the Information Commissioner’s Office (ICO).
Consent can be withdrawn at any time, where the organisation is relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you would like to exercise one of your rights as set out above, or have a question or complaint about this Policy, the way your personal information is processed, please contact us:
For data breaches:
By email: firstname.lastname@example.org
By post: Data Protection Officer for The Bedford College Group, DPO Centre, The DPO Centre Ltd, 50 Liverpool Street, London EC2M 7PY
For all other enquiries:
By email: email@example.com
By post: Student Data[KS1] [EK2] , The Bedford College Group (Registered Bedford College), Cauldwell Street, Bedford MK42 9AH