Privacy Notice for DCG Students
The General Data Protection Regulations came into force on the 25th May 2018 and the Data Protection Act 2018 and UK GDPR is the UK’s implementation of these regulations. The Data Protection Act 2018 provides a comprehensive and modern framework for data protection in the UK, with stronger sanctions for malpractice. The Act sets standards for protecting personal data, in accordance with the UK General Data Protection Regulation (UK GDPR), giving individuals more control over use of their data, and providing them with new rights to move or delete personal data.
DCG is committed to a policy of protecting the rights and privacy of Data Subjects (including, governors’ employees, students and others) in accordance with the Act.
Transparency is a key element of the Data Protection Act 2018 and this Privacy Notice is designed to inform you:
- how and why the Group uses your personal data,
- what your rights are under the Data Protection Act 2018, and,
- how to contact us so that you can exercise those rights
DATA SUBJECT RIGHTS
One aim of the Act is to empower individuals and give them control over their personal data. UK GDPR and The Data Protection Act 2018 gives you the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
WHICH PERSONAL DATA DO WE COLLECT AND USE?
The categories of personal information that we process are included in the table below:
Which Personal Data do we collect and use?
The categories of personal information that we process are included in the table below:
|Obtained From||Person Category|
|From your application||
|From your Equality Monitoring Form:||
|Additional data collected during your studies at the DCG||
* Denotes information which may contain data classified as sensitive personal data/special categories of personal data under the GDPR V Denotes information which you provide on a voluntary basis # Denotes information which will be published/available to the public
DCG hold data securely for the set amount of time shown in our data retention schedule. For more information on our data retention schedule and how we keep your data safe, please visit
WHY WE COLLECT AND USE STUDENT INFORMATION
Your personal data collected is essential for DCG to fulfil their official functions and meet legal requirements. DCG collect and use student information, for the following purposes:
- to support student learning
- to monitor and report on student attainment progress
- to provide appropriate pastoral care
- to assess the quality of our services
- to keep students safe (food allergies, or emergency contact details)
- to meet the statutory duties placed upon us for DfE and ESFA data collections
- to provide reports and returns required by funding agencies, government departments, and public bodies
It may also be necessary for the Group to process your personal data in order to protect your vital interests or those of another individual i.e. in emergencies/life or death situations/where we believe that a student or another individual is at significant risk of harm.
Where we process sensitive personal data/special categories of personal data, we will rely on the conditions in Article 9 of the UK GDPR: explicit consent, vital interests, substantial public interest, occupational medicine, archiving/research.
In line with the Data Protection Act 2018, the legal bases we rely on for processing personal information for general purposes are:
- Legal Obligation
- Vital interest
- Public task
- Legitimate interest
WHO DO WE SHARE YOUR DATA WITH?
Attendance, progression data and educational records may be shared with parents/guardians of students (under 18 years of age). If a student has any concerns about disclosing this information to a parent/guardian, please contact DPO@derby-college.ac.uk and we will ask a member of the Safeguarding team to contact you.
Students should be aware that in order to provide our services we may need to share your personal or sensitive personal data within the organisation or outside Derby College Group. The privacy of your personal data is paramount and will not be disclosed unless there is a justified purpose for doing so. Derby College Group does not sell personal data to third parties.
DCG routinely shares this information with:
- Group staff who need the information for administrative purposes.
- Government bodies and departments, in the UK and overseas, responsible for:
- public funding
- statistical analysis, monitoring and auditing
- regulatory matters, e.g. ESFA, Department for Education, OfS
PLEASE NOTE that equality and diversity information is only published in the form of anonymised reports
- Equality and Diversity data is also shared with the Nominations Committee of the Board to inform its review of the balance of Board memberships and with the Board in relevant reports
- the Group’s insurers, legal advisers and auditors
Occasionally, the College may take photographs of students or visitors. The College may use these images in our prospectus or in other printed publications that we produce, as well as on our website. The College may also make video or webcam recordings for conferences, monitoring or other educational use.
From time to time, the College may be visited by the media who will take photographs or film footage of a visiting dignitary or other high profile event. Students will often appear in these images, which may appear in local or national newspapers, or on televised news programmes.
To comply with the Data Protection Act 2018, the College will ask for consent before photographing any individual or making any recordings.
The Data Protection Act classifies audio/video recording as a form of data processing, as recorded conversations have the potential to capture personal information, including names, addresses, financial details, religious beliefs, and medical records and therefore can only be recorded for the following purposes:
- The purpose is to deliver online lessons. In this scenario, lessons can be recorded for use by students as it is in the legitimate interest of DCG for students to have access to this resource and for teaching staff for reference, reflection, and safeguarding purposes
- The purpose is to conduct a one to one online meeting with a student. The meeting should be recorded for safeguarding purposes. This is in accordance with the DCG Safeguarding Policy.
- The purpose is to enable teaching staff and assessors to carry out professional discussions with students as an evidence method to demonstrate student competency whilst working towards a qualification.
- The purpose call is to support, develop and enhance the learning experience of DCG students such as inductions, projects and training.
The College makes available lessons in some teaching spaces and for certain events. In this context, this means ‘the live recording of a taught session to create a resource that can be used for education purposes’.
There are a number of educational benefits to recording lessons, for example, improved accessibility and enabling multiple reviews.
These audio and video recordings will capture some personal data of the tutor/assessor and, potentially, of people attending the lesson or event. This notice explains how the college will use this information. We will revisit this notice and amend if our use of personal data changes in any way.
The following types of personal data may be captured during a recording:
- Image (in video recordings)
- Personal opinions
- Actions taken or contributions made (e.g. audience participation)
- The software may record personal data of the teacher/assessor, student or other person attending a lesson or event
As this method is primarily being used as a teaching tool, it is not intended that these recordings should be used to record sensitive or special categories of data.
Recordings relating to taught material will be made available to registered Derby College students.
We will not normally share these recordings with any other party. Any specific requests from a third party for us to share your personal data with them will be dealt with in accordance with the provisions of the data protection laws.
Tutors and assessors can choose whether to record a session or not. When a lesson is being recorded, the lecturer can stop recording at any time.
Similarly, students and others attending a recorded lesson can choose if they want their personal data to be included in a recording.
If you do not wish to be included in any recording, please let the tutor/assessor or event organiser know before the start of the session.
Students cannot normally opt out when a recording is part of an assessed summative item of work, however any material recorded for summative work would not be made available to anyone apart from the assessors of the work.
The purpose of the meeting/call is to deliver online lessons. In this scenario, lessons can be recorded for use by students as it is in the legitimate interest of DCG for students to have access to this resource and for teaching staff for reference, reflection, and safeguarding purposes.
Derby College is using personal data in this way in pursuit of our legitimate interests in providing a service to students, staff and others, e.g. members of the public attending a public event.
Where a recording is intended to be made widely available, we will only do so with the consent of the person(s) delivering the lesson.
Derby College use Microsoft Teams to provide the recording of lessons. https://privacy.microsoft.com/en-gb/privacystatement
The Group takes a robust approach to protecting the information it holds. This includes the installation and use of technical measures including firewalls and intrusion detection and prevention and regular assessment of the technical security of Group systems. Group staff monitor systems and respond to suspicious activity.
Alongside these technical measures there are comprehensive and effective policies and processes in place to ensure that users and administrators of Group information are aware of their obligations and responsibilities for the data they have access to.
The College has been awarded Cyber essentials plus certification. Cyber Essentials Plus is the highest level of certification offered under the Cyber Essentials scheme. It is a more rigorous test of an organisation’s cyber security systems where our cyber security experts carry out vulnerability tests to make sure that an organisation is protected against basic hacking and phishing attacks.
We retain records in line with our Records Management and Archiving Policy and the JISC Record Retention Management Guide:
Derby College Group is a data controller. Student data is stored and processed by Derby College Group with agreement from the student and in accordance with the principles of the Data Protection Act 2018/UK GDPR and Derby College Groups’ Data Protection Policy, procedures and guidelines. Information regarding your attendance/welfare may be shared with:
- Employers, in the case of sponsored students
- Parent/guardian, in the case of students under 18
- The relevant authorities for Council tax and benefit purposes
- Those formally requesting references (where students have consented to this)
Students inputting personal data must note that it is their responsibility to ensure that the data is removed from any location which may be accessible by others after each session. Derby College Group cannot be responsible for the security of such data.
Students have a right to access information held about them and, where appropriate, to have it corrected or deleted. Further details are available on the Derby College Group website: https://www.derby-college.ac.uk/data-protection/
REQUESTING ACCESS TO YOUR PERSONAL DATA
Under data protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information please visit www.derby-college.ac.uk/gdpr or email firstname.lastname@example.org
You also have the right to:
- to ask us for access to information about you that we hold
- to have your personal data rectified, if it is inaccurate or incomplete
- to request the deletion or removal of personal data where there is no compelling reason for its continued processing
- to restrict our processing of your personal data (i.e. permitting its storage but no further processing)
- to object to direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics
- not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you
If you have a concern or complaint regarding the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
Subject Access Requests requesting Examination Results
If a request is made once the exam results have been published, we will aim to respond within one calendar month. If a request is made before the results have been announced and published, we will respond within five months of the date of the request; or within 40 days from when the results are published (whichever is earlier). This is in line with the ICO guidelines on exam results: https://ico.org.uk/your-data-matters/schools/exam-results/
The easiest way to make a request is to complete the online Subject Access Request Form which can be found on our website at
https://www.derby-college.ac.uk/data-protection/. A hard copy of this form is available on request from the College. Alternatively, a request can be made directly to the Data Protection Officer at email@example.com.
If you would like to discuss anything in this privacy notice, please contact the Data Protection Office at DCG via email firstname.lastname@example.org
As part of your learner agreement and studying at Derby College, you will need to read and understand the following privacy notices:
ESFA Privacy Notice
The Education and Skills Funding Agency (ESFA) is an executive agency of the Department for Education (DfE). This privacy notice explains how the ESFA use (process) any personal data you give to us, or any that we may collect about you:
ESFA privacy notice – GOV.UK (www.gov.uk)
ILR Privacy Notice
This privacy notice is issued by the Education and Skills Funding Agency (ESFA) on behalf of the Secretary of State for the Department of Education (DfE) to inform students about the Individualised Learner Record (ILR) and how their personal information is used in the ILR: ILR Privacy Notice 2022 to 2023 version 1 January 2022 (submit-learner-data.service.gov.uk)
LRS Privacy Notice
The LRS Privacy Notice explains how student qualification data is used if a student allows others to see their personal learning record. This notice summarises the information held on record about each student, why it is held and the third parties with whom the data may be shared: LRS privacy notice – GOV.UK (www.gov.uk)