EC Default Banner

Data protection and Cookies

Your Data Protection Rights at Edinburgh College.

The Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR) provide certain rights for individuals in relation to their personal data and what organisations may do with their data.

To make a request in relation to any of your rights, please email DataProtection@edinburghcollege.ac.uk

The Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR) provide certain rights for individuals in relation to their personal data and what organisations may do with their data. Under data protection law you have the following rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

All of these rights require organisations to respond to a request in one month. There is no fee, although if a request is considered manifestly unfounded or excessive a reasonable fee can be charged for the administrative costs associated with the request.

The UK Information Commissioner’s Office (ICO) is the regulator of data protection and has further information and guidance regarding your rights on the ICO website

Your Rights Under Data Protection Law

Your rights – contacting the college

If you have any queries regarding how Edinburgh College processes your personal data, or wish to make a request under data protection law, please contact the Data Protection Officer (DPO) by emailing DataProtection@edinburghcollege.ac.uk

The right to be informed

The right to be informed is known as a “privacy notice” and organisations must communicate to you who they are, the name and contact information of their Data Protection Officer (DPO); why they collect your data; for what purpose; if they share it; and how long the information is held for.

ICO Guidance: https://ico.org.uk/your-data-matters/your-right-to-be-informed-if-your-personal-data-is-being-used/

The right of access

The right of access means you can request access to view, or get copies of, the personal data that an organisation holds on you. You can make such a request for all information held about you, or you can be specific, e.g. asking for copies of application and enrolment forms.

ICO guidance: https://ico.org.uk/your-data-matters/your-right-of-access/

The right to rectification

The right to rectification means that you can request that inaccurate information held about you is corrected or deleted. If your information is incomplete, you can ask the organisation to complete it by adding further information.

ICO guidance: https://ico.org.uk/your-data-matters/your-right-to-get-your-data-corrected/

The right to erasure

The right to erasure is commonly known as the ‘Right to be Forgotten’ (RTBF). This means you can request that an organisation deletes the personal data they hold about you. This right only applies in certain circumstances including:

  • The organisation doesn’t need your information anymore
  • If you had provided your consent but now withdraw it
  • You object to the use of your data, and your interests outweigh the organisation’s
  • If the data was collected or used unlawfully
  • If there is a legal obligation to erase your data.
  • Or if your data was collected from you as a child for an online service (e.g. Facebook).

ICO’s guidance: https://ico.org.uk/your-data-matters/your-right-to-get-your-data-deleted/

The right to restrict processing

The right to restrict processing means that if you are concerned about the accuracy of your personal data, or how it is being used, you can limit how the organisation uses your data. You can also stop an organisation deleting your data. This right also links closely with the right to rectification and right to object.

ICO Guidance: https://ico.org.uk/your-data-matters/your-right-to-limit-how-organisations-use-your-data/

The right to data portability

The right to data portability means you have the right to request that an organisation provide you with your personal data in an accessible, machine-readable format, e.g. a csv file. You can also request that the organisation transfers your data to another organisation. They must do this if the transfer is technically feasible.

This right only applies in specific circumstances and is not absolute.

ICO Guidance: https://ico.org.uk/your-data-matters/your-right-to-data-portability/

The right to object

The right to object means you can request that an organisation stops using (processing) your data for specific purposes. There are limits to this right, you can only object if the organisation is using your data:

  • For a “task carried out in the public interest”
  • For “legitimate interests”
  • For “scientific or historical research or statistical purposes”
  • For direct marketing

If an organisation agrees to your objection it must stop processing unless it can provide strong legitimate reasons for continuing to use your data. However, when the objection relates to direct marketing the right to object is absolute and an organisation must stop using your data.

ICO Guidance: https://ico.org.uk/your-data-matters/the-right-to-object-to-the-use-of-your-data/

Rights in relation to automated decision making and profiling

Rights in relation to automated decision making and profiling relates decisions made about you using computer algorithms etc. and without human intervention.

This can include profiling - when your personal data is used to analyse or predict aspects of your life, including personal preferences and interest.

An example of this is when a company sends you information regarding particular books which are similar to ones that you already purchased from them. It can be a useful process for organisations and individuals in many sectors, including education and marketing.

When automated processing including profiling is carried out with your personal data you have the right:

  • Not to be subject to a decisions that is based solely on automated processing if the decision affects your legal rights
  • To understand the reasons behind decision made and the potential consequences of the decisions
  • To object to profiling in certain situations, including direct marketing.

ICO Guidance: https://ico.org.uk/your-data-matters/your-rights-relating-to-decisions-being-made-about-you-without-human-involvement/

Edinburgh College Data Protection Policy

Edinburgh College is committed to a policy of protecting data, and to protecting the rights and freedoms of individuals with respect to the processing of their personal data. 

Our Data Protection Policy sets out the legal framework and risks which govern the college’s use of data; the college’s commitment to protecting its data; and the obligations of users to protect all data (with particular reference to personal and special (previously called sensitive) categories of personal data).

Edinburgh College Data Breach Reporting Procedure

For information on how to report a suspected data breach, involving personal data, please read our Data Breach Reporting Procedure.

Special Category & Criminal Convictions Personal Data Policy

The Data Protection Act 2018 requires the College, as a Public Authority, to have an appropriate policy document (and supporting procedures) in place which outline the College’s approach to the management of special category personal data and criminal convictions data (as required by the General Data Protection Regulation (GDPR), Article 9 and the Data Protection Act 2018, Schedule 1, Part 4).

Edinburgh College processes special category and criminal conviction data as part of its statutory duties under employment and social protection law, or processing for reasons of substantial public interest. Through this Policy the College explains its procedures for compliance with the principles of Articles 5 and 6 of the GDPR, and outlines its policies as regards retention and erasure of this data.

Data protection and cookies notices and policies

Edinburgh College has appointed a named Data Protection Officer (DPO), Lizi Bird, who can be contacted by emailing DataProtection@edinburghcollege.ac.uk

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

As your employer we have a duty of care to all of our staff and we collect personal data for the purposes of occupational health (OH) and for the assessment of the working capacity of the employee. We also process employee personal data to ensure the health and safety of the employees at work and to allow consideration of any reasonable adjustments that may be required to support their ability to work.

What personal data do we collect?

Personal data

  • Name
  • Date of birth
  • Address
  • Telephone number
  • Email
  • Jobe role
  • Your GP contact information & (if applicable) any hospital contact information if you have a specific health condition.

Special Category Personal Data

  • Attendance/Sickness Record (if applicable)
  • Health conditions
  • Medical Reports (if you choose to bring them to an OH meeting)
How are we collecting this information? What is the source?

We collect your information in a number of ways, depending on the circumstances. The following details are the main ways that data is collected.

Management Referral

When making a referral, managers/HR are asked to confirm that the employee has been informed of the details of the referral before submitting. The referral will not be able to go ahead if this is not confirmed with the employee. The OH Referral Form requires confirmation that the employee has been fully informed of the referral, informed of their rights and, if applicable, their consent under the Access to Medical Reports Act 1988 (AMRA) must be received prior to an OH assessment and report is carried out.

Under AMRA employees have the right to see the report before it is sent to their line manager and HR. Under Section 3 of AMRA requires that medical reports and applications for them are not processed unless the individual has consented. This is consent under AMRA and not under data protection law. Under Section 4 and 5 of AMRA employees have rights and can request inaccurate information is corrected. If the medical professional considers this is accurate a note on the report will be added to accurately reflect this. At the time of receiving the report to review, employees are given a time frame for contacting Occupational Health with consent under AMRA to release the report.

New Employment Health Questionnaires

As referenced earlier, as an employer, the College has a duty of care to all employees to ensure their health and safety at work and, when applicable, identify and implement any reasonable adjustments required to enable the employee to work. Therefore, the College requires new employees to complete a health screening in order to determine if the individual is fit for the tasks that they will be performing and identify any reasonable adjustments that may be required.

The questionnaire is used solely for the purposes of assessing fitness to work and if necessary implementing reasonable adjustments to ensure the employee is able to work.

Health Surveillance

For some roles, health surveillance will need to be undertaken where risk assessment indicates that an individual might be exposed to certain hazards within the work place i.e. noise The employer will be sent a fitness to work certificate following the health surveillance appointment.

The lawful basis for the processing

The lawful basis for processing for these purposes are GDPR Article 6(1)(b) “Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. For the processing of special category personal data (i.e. health data), the lawful basis is GDPR Article 9(2)(h) “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3”. GDPR Article 9(3) states that processing is permitted “when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy.”

All health professionals will adhere to their governing body of professional standards with regards to confidentiality.

Please note any reference to consent is not consent to process personal data under data protection law. Consent is in relation to the Access to Medical Reports Act 1988 (AMRA) only and provides an employee with opportunity to view and correct an OH report prior to it being provided to the employer.

Who we share the information with

For the purposes of Management Referrals, your OH Report is shared with your line manager and the HR department. However, this is only shared if you have provided your consent under AMRA. For the purposes of New Employment Questionnaires and Health Surveillance this is shared, if necessary, to the College’s HR department to ensure that reasonable adjustments are made and the College is meeting its duty of care and ensuring the health and safety of the workforce.

How long do we hold the personal data?

The Occupational Health records will be kept for the length of employment and for 7 years after leaving employment (this applies to Management Referrals and New Employment Health Questionnaires). Once this retention period has passed, these records will be destroyed securely following College procedures.

For the health surveillance records these are required under The Control of Substances Hazardous to Health Regulations (COSHH) 2002 and the related Health and Safety at Work etc Act 1974 which require that records are kept for 40 years. Following this time period, the records will be destroyed securely in line with College procedures.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice), right of access, right of rectification, right of erasure (commonly known as the right to be forgotten), right to restrict processing, right to object, right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing and the College would be required to process your request in one month.

The rights that apply for this particular processing are:

  • Right to be Informed – i.e. a privacy notice.
  • Right of Access – this means you have the right to access your personal information.
  • Right to Rectification – this means you have the right to correct inaccurate or incomplete personal information.
  • Right to Erasure – commonly known as the Right to be Forgotten (RTBF) – this means you can request your personal data is deleted.
  • Right to Data Portability – this means you have the right to request your information in a machine readable format (e.g. a .csv file) to be provided to you or transferred in that format to another organisation.
  • Right to Restriction – this means you can restrict the processing of your information and links with some of the other rights.
  • Right to Object – this means you can object to how your data is used.
  • Right to be informed of automated individual decision making (including profiling) – we do not do this for OH purposes and this therefore does not apply.

Some of the rights above have caveats and only apply in certain circumstances. You can exercise your rights at any time and the College would be required to answer within a month upon receipt of your request. If you wish to exercise your rights or have any queries in relation to this, please contact the Data Protection Team at DataProtection@edinburghcollege.ac.uk.

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk . If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk.

Why are we collecting it and what are we doing with it (Purpose)?

We collect your personal data for the following purposes:

Recruitment and retention of staff

  • Making a decision about your recruitment/appointment;
  • Determining the terms on which you work for us;
  • Checking that you are legally entitled to work in the UK;
  • Checking your criminal history, including PVG Disclosure Scotland checks;
  • Assessing qualifications, including decisions about promotions;
  • Making decisions about your continued employment;
  • Undertaking/implementing salary reviews and calculating compensation e.g. voluntary severance;
  • When outsourcing particular business areas of the college we are required to provide information to your new employer in adherence with TUPE regulations.

Payroll and pensions administration (including National Insurance and Tax Administration)

  • Paying you and deducting tax and national insurance contributions;
  • Providing employee benefits to you;
  • Liaising with your pension provider and the Department of Work & Pensions

Supporting your Continuing Professional Development and career progression

  • Identifying education, training and development requirements (e.g. Training Needs Analysis);
  • Conducting appraisal/development reviews.

For occupational health and managing sickness absence purposes

  • Ascertaining your fitness to work when managing sickness absence;
  • Referring you to Occupational Health to assess your fitness for work (this may be an internal or external practitioner); a separate Occupational Health privacy notice will be provided at that time.

For disciplinary and conduct purposes

  • Gathering evidence during the course of investigations for possible disciplinary, grievance or capability hearings;
  • To monitor your use and ensure security of our information and communication systems, in partnership with IT, to ensure compliance with our IT Policies;
  • Dealing with legal disputes involving you, or other employees.

For health and safety purposes

  • Complying with health and safety obligations (e.g. monitoring compulsory training).
  • Dealing with legal disputes arising from accidents at work.

For Equality and Diversity monitoring purposes

  • Equal opportunities monitoring, in line with legal obligations, to promote inclusion.

For management planning purposes

  • Business management and planning, including accounting and auditing;
  • Producing quarterly and annual statistical HR Dashboards and analysis for senior management and relevant committee (if applicable) to inform business planning which includes headcount (and full-time equivalents), establishment, turnover, absence, department, salary band, contract status (permanent or temporary), length of service, recruitment, training, pay gaps and workforce demographics such as gender, ethnicity, age, disability, part-time status.
  • To understand why employees leave the College and to help feedback and improve College services. We collect this data through the Exit Interview Questionnaire; employees can choose whether to complete this or not. HR will store and use the data to analyse trends and monitor statistics. It will also be used, on an anonymous statistical basis, to provide high level reports to the Executive Team and Senior Management Team. 

For collective bargaining purposes

  • Providing information and data to Colleges Scotland under the Trade Union and Labour Relations (Consolidation) Act 1992 which enables agreements to be reached under National Bargaining with recognised Trade Unions i.e. pay agreements, job evaluation etc.

 

What personal data do we collect?
  • Name/Title
  • Address(es)
  • Telephone number(s) – home & mobile
  • Personal email address
  • Date of birth
  • Gender
  • Marital status
  • Dependants
  • Next of kin
  • Emergency contact information
  • National Insurance number
  • Bank account details
  • Payroll number & tax code
  • Salary
  • Pension scheme details
  • Benefit information e.g. childcare voucher membership
  • Application form (or if via agency CV & covering letter)
  • Proof of Right to work
  • References
  • Qualification certificates
  • PVG Membership Number
  • Start and end dates of employment
  • Job title
  • Your opinions on your employment at the College (where completing an Exit questionnaire)

We also process special category personal data:

  • Race
  • Ethnicity
  • Religious beliefs
  • Sexual orientation
  • Disability
  • Gender identity
  • Criminal convictions information
  • Medical questionnaire
  • Absence records and reasons as this may contain health data or other special category data
  • Occupational Health reports
  • Trade Union membership
How are we collecting this information? What is the source?

We will collect the majority of your personal information directly from you and particularly during our recruitment and selection process. If you applied for a post through myjobscotland.gov.uk we will have received your information from My Job Scotland: they will be a separate controller of your personal data – for further information on how they process your data please see their privacy notice.

We will ask you to keep your personal information current throughout your time with us by updating our self-service HR system. However, in certain circumstances we will collect information from third parties including:

  • Former employers
  • Employment agencies
  • Disclosure Scotland
  • GPs/Consultants/Occupational Health professionals
  • HMRC
  • Department of Work & Pensions
The lawful basis for the processing

For processing of the majority of your personal data, the lawful basis is UK General Data Protection Regulation (UK GDPR) Article 6(1)(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

For the Exit Questionnaire/Interview process the lawful basis is UK GDPR Article 6(1)(f) “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party…”. You have a choice as to whether you complete the Exit Questionnaire/interview.

Where your special category personal data are processed, the lawful basis is UK GDPR Article  9(2)(b)  “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject”.

  • Where employees’ health data are processed, there are several laws which require this. They are as follows: Health and Safety at Work etc. Act 1974; The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013; and Employment Rights Act 1996.
  • Where employees special category demographic information (gender identity, sexual orientation, race, ethnicity) the specific law authorising this is the Equalities Act 2010.
  • Where employees’ criminal conviction data are processed, the specific law authorising this is the Protection of Vulnerable Groups (Scotland) Act 2007.
  • Where employees’ data are processed for the purposes of collective bargaining, involving Colleges Scotland, the specific law authorising this is the Trade Union and Labour Relations (Consolidation) Act 1992.

Exceptionally, we may also use your personal information where we need to protect your, or someone else’s, vital interests; UK GDPR Article 6(1)(d) “processing is necessary in order to protect the vital interests of the data subject or of another natural person” would apply.

Who we share the information with

We share your personal information with the following third party data controllers:

  • Disclosure Scotland
  • Audit Scotland (as part of the National Fraud Initiative)
  • Pension providers (e.g. Lothian Pension Fund, STSS & Prudential for AVCs);
  • HMRC;
  • Colleges Scotland (e.g. national initiatives such as National Bargaining);
  • GPs/Consultants/Occupational Health practitioners (a separate privacy notice will be provided at that time);

We share your personal information with the following data processor:

  • Midland HR (providers of iTrent) only for the purposes of maintaining and upgrading the HR system and resolving technical queries. Edinburgh College hosts the iTrent application and database internally.
How long do we hold the personal data?

We will retain personal data about employees for a maximum of six years after their employment has ceased, with certain exceptions:

The college will retain documents relating to pre-employment health screenings of individuals exposed to hazardous substances through their employment; and records relating to major injuries arising from accidents in the workplace; for 40 years after an employee’s employment has ceased.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice); right of access; right of rectification; right of erasure (commonly known as the right to be forgotten); right to restrict processing; right to object; right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing and the College would be required to process your request in one month.

The rights that apply for this particular processing are:

  • Right to be informed – this privacy notice addresses this.
  • Right of access – you can request access and copies of your personal data held by the college. To do this, please email the DataProtection@edinburghcollege.ac.ukand your request will be processed accordingly.
  • Right to rectification – you can request that inaccurate or incomplete personal data is rectified.
  • Right to Erasure (this right is not absolute and is subject to specifics of the request).
  • Right to object (including to direct marketing). The right to object to direct marketing is absolute and will be responded to accordingly.
  • Right to data portability (this right is not absolute and is subject to specifics of the request).
Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk . If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

We collect your personal data in order to effectively manage our recruitment process and in order to assist us in:

  • Making a decision about your recruitment/appointment
  • Determining the terms on which you work for us
  • Checking that you are legally entitled to work in the UK
  • Checking your criminal history, including PVG Disclosure Scotland checks
  • Assessing qualifications
  • Checking whether you are eligible for guaranteed offer of interview under Disability Confident Scheme
  • Monitoring and advancing equality of opportunity and eliminating unlawful discrimination, as per the college’s legal duty under the Equality Act 2010 (the Scottish Public Sector Equality Duty requires the college to analyse and produce anonymised reports on the recruitment of persons from specific protected characteristic groups)
What personal data do we collect?

We process the following personal data for all applicants:

  • Name/Title
  • Address(es)
  • Telephone number(s) – home & mobile
  • Personal email address
  • Date of birth
  • Salary
  • Application form (or, if via agency, CV & covering letter)
  • Proof of Right to work in the UK
  • Caring responsibilities
  • Gender
  • Marital Status

 

And for applicants who are offered a role with Edinburgh College we also process:

  • References
  • Qualification certificates
  • Bank details
  • Next of kin/emergency contact details
  • Pension details

 

We also process special category personal data for all applicants:

  • Race
  • Ethnicity
  • Religious beliefs
  • Sexual orientation
  • Disability
  • Gender identity
  • Criminal convictions information

 

And for applicants who are offered a role at Edinburgh College, we will also process the following special category data (further information on how we use this information is provided in the college’s employee privacy notice):

  • PVG Membership Number
  • Medical questionnaire
How are we collecting this information? What is the source?

We will collect the majority of your personal and sensitive information from you during the application stage of our recruitment process. Further information will be requested directly from you if you are offered a role with Edinburgh College (bank details, medical questionnaire, PVG application information (e.g. previous addresses); next of kin details; pension details; occupational health information questionnaire).

If you applied for a post directly through our Edinburgh College website (or link to our website) from January 14th, 2019 onwards, we will store your personal and sensitive information securely on our recruitment module within our HR system (currently iTrent).

If you previously applied for a post through myjobscotland.gov.uk we will have received your information from myjobscotland: they will be a separate controller of your personal data – for further information on how they process your data please see their privacy notice.

The lawful basis for the processing

For processing of your personal data, the lawful basis is GDPR Article 6(1)(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

To meet our Public Sector Equality Duties under the Equality Act 2010, we collect additional personal and special category data about our applicants, via our Equalities Monitoring form, to assist the college in monitoring and advancing equality of opportunity and eliminating unlawful discrimination.

Where your special category personal data (e.g. gender identity, sexual orientation, race, ethnicity) are processed for this purpose the lawful basis is GDPR Article 9(2)(g) “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject”.

Where applicants’ special category demographic information (gender identity, sexual orientation, race, ethnicity) are processed for the purposes of monitoring and advancing equality of opportunity and eliminating unlawful discrimination the specific law authorising this is the Equality Act 2010.

Where applicants’ criminal convictions information are processed the specific law authorising this is the Rehabilitation of Offenders Act 1974 (Exclusions and Exceptions) (Scotland) Amendment Order 2016.

Where applicants’ asylum status/right to work in the UK information are processed the specific law authorising this is the Immigration, Asylum and Nationality Act 2006.

Who we share the information with

We share personal information with the following data processor:

  • Midland HR (providers of iTrent) only for the purposes of maintaining and upgrading the HR system and resolving technical queries. Edinburgh College hosts the iTrent application and database internally.

 

If you are offered a role at Edinburgh College we will share your personal information with the following third party data controllers as part of our new starter process and in order to enter into an employment contract with you (further information on how we use this information is provided in the college’s employee privacy notice):

  • Disclosure Scotland
  • Pension providers (e.g. Lothian Pension Fund, STSS & Prudential for AVCs)
  • HMRC
  • Department of Work & Pensions
  • GPs/Consultants/Occupational Health practitioners (a separate privacy notice will be provided at that time)
How long do we hold the personal data?

If you are unsuccessful in our recruitment process (i.e. you are not offered a role with Edinburgh College) your information will be deleted 6 months after the closure of the recruitment campaign for which you applied.

If you are successful in being appointed to a role at Edinburgh College, we will transfer your personal and sensitive information into our iTrent employee module (please see Privacy Notice for Employees of Edinburgh College (November 2018)).

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice), right of access, right of rectification, right of erasure (commonly known as the right to be forgotten), right to restrict processing, right to object, right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing and the College would be required to process your request in one month.

 

The rights that apply for this particular processing are:

  • Right to be informed – this privacy notice addresses this.
  • Right of access – you can request access and copies of your personal data held by the college. To do this, please email the DataProtection@edinburghcollege.ac.ukand your request will be processed accordingly.
  • Right to rectification – you can request that inaccurate or incomplete personal data is rectified.
  • Right to erasure (this right is not absolute and is subject to specifics of the request).
  • Right to object (including to direct marketing). The right to object to direct marketing is absolute and will be responded to accordingly.
  • Right to data portability (this right is not absolute and is subject to specifics of the request).
Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk . If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk.

Why are we collecting it and what are we doing with it (Purpose)?

Edinburgh College are collecting data to:

  • Facilitate commercial hire agreements with individuals and organisations utilising College premises, as well as the ongoing management of those agreements.
  • Manage payments, fees, and charges and to collect and recover any money owed in relation to commercial hire agreements.
  • Maintain accurate accounts and records.
  • Communicate with and manage relationship with those party to the hire agreements.
  • Ensure the Health and Safety as well as security of our premises, students, staff, and visitors.
What personal data do we collect?

We collect and hold a range of personal data and other information for the above purposes. This includes:

  • Contact details, such as name, title, email address, and phone number.
  • Specific details about the reason for hire and/or activity, including space hired, date(s), time(s), resources required.
  • Records of correspondence, either through our website, telephone, e-mail or post.
  • Financial records of charges, payments made and received.
  • Proof of relevant leases and licences (where required).
  • Health and Safety risk assessment details (provided by the hiring organisation/individual).
  • Visitor and parking records, such as name, organisation, reason for visit and car registration number.
  • In the event of an incident or accident, details about it and those involved.
  • CCTV footage/images as CCTV is in operation on campus.

The Special Category personal data we collect are:

  • Accessibility requirements and dietary requirements (should catering be requested) for those attending an event or using the hired space. This is limited to the requirement and number of individuals and is usually provided by the organisation/individual who is party to the hire agreement.
  • Details about an accident or incident and its impact on named individuals.
The lawful basis for the processing

UK General Data Protection Regulation (UK GDPR) Article 6(1)(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”; and

UK GDPR Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject”.

For the processing of any special category personal data, the lawful basis is UK GDPR Article 9(2)(g) “processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject domestic law” and Data Protection Act 2018 Schedule 1, Part 2, 6(2)(a) “Statutory etc and government purposes”, in relation to the College’s responsibilities under Health and Safety legislation.

Who we share the information with

This data will be available to Edinburgh College Health and Safety leads, Commercial and Events Co-ordinators and Finance staff.

We do not share the data outside of Edinburgh College unless required to do so by law or in the event of legal proceedings.

In the case of an incident or accident, we may be required to share some personal data with the Health and Safety Executive or other relevant authorities.

How long do we hold the personal data?

Records relating to the Hire Agreement will be retained for 1 year from the end of academic year and the agreement itself for 6 years from the end date of the agreement. Finance records are retained for 6 years from the end of financial year. Health and safety records are retained for a minimum of 5 years; should an accident or incident occur, the College may retain the investigation records for up to 40 years after the closure of the investigation in line with Health and Safety legislation. CCTV footage is retained for 14 days, unless required in relation to an incident.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. The rights that apply for this processing are:

  • Right to be Informed – i.e., a privacy notice.
  • Right of Access – this means you have the right to access your personal information.
  • Right to Rectification – this means you have the right to have inaccurate or incomplete personal data corrected.
  • Right to Erasure – commonly known as the Right to be Forgotten (RTBF) – this means you can request your personal data is deleted.
  • Right to Data Portability – this means you have the right to request your information in a machine-readable format (e.g. a .csv file) to be provided to you or transferred in that format to another organisation.
  • Right to Restriction – this means you can restrict the processing of your information.

Some of the rights above only apply in certain circumstances. You can exercise your rights at any time and the College would be required to answer within a month upon receipt of your request. If you wish to exercise your rights or have any queries in relation to this, please contact the Data Protection Team at DataProtection@edinburghcollege.ac.uk.

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk.

If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on the ICO website.

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

Your personal information is collected to record and process your compliment or complaint. The Complaints Handling Co-Ordinator/Investigating Officer will may use this personal information to contact you with regards to compliment or complaint.

What personal data do we collect?

Personal data

  • Forename and surname
  • Name of individual acting on your behalf (if applicable)
  • Address
  • Email address
  • Mobile number
  • Course (if applicable)
  • Campus (if applicable)
  • Opinions and other relevant information in relation to investigation

Special Category Personal Data

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade Union membership
  • Health information
  • Sex life or sexual orientation
How are we collecting this information? What is the source?

This information is collected when you complete the compliments and complaint to record a compliment or complaint about the college. When your complaint is being investigated the Complaints Handling Co-Ordinator or Investigating Officer may need to collect further information by e-mail or telephone.

The lawful basis for the processing

The legal basis for processing your personal data is GDPR Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” In this instance as the College is a public body it is required under the Scottish Public Services Ombudsman Act 2002 to investigate and resolve complaints received from members of the public.

If you have provided any special category/sensitive personal data within your compliment or complaint, the legal basis for processing is GDPR Article 9(2)(a) “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.”

Who we share the information with

Your data will be shared with the investigating officer to process your complaint. If you have authorised another individual or organisation to act on your behalf, then we would only share information with them on receipt of a completed Data Subject Authorisation Disclosure form. This form is necessary to ensure that you have given the individual/organisation authority to represent you and act on your behalf.

How long do we hold the personal data?

Your information is held for three years from the date of receipt of your compliment and three years after closure of your complaint. After that your information will be destroyed securely and in line with College procedures.

Individuals’ rights in relation to this processing

Under data protection law, individuals have the following rights:

  • The right to be informed – i.e. a privacy notice
  • The right of access – this means you can access your personal data and receive copies of all your data held by the College
  • The right to rectification – this means that you can update/correct inaccurate or incomplete data
  • The right to erasure (commonly known as the Right to be Forgotten (RTBF) – this means you can request your personal data is destroyed, and the College no longer holds your personal data.
  • The right to restriction – this means you can request that the processing of your personal data is restricted. This links with some of the other rights and means that if there is an issue the processing activity can be paused until the issue is resolved.
  • The right to restriction – this means you can request that the processing of your personal data is restricted. This links with some of the other rights and means that if there is an issue the processing activity can be paused until the issue is resolved.
  • The right to data portability – this means you can request all your data in a machine readable format (e.g. a .csv file) to transfer to another organisation.
  • Right to know of any automated decision-making, including profiling – this means you have the right to know of any automated decision-making and not be subject to a decision made solely on automated processing.

Some of these rights are not absolute and require certain conditions. All requests made to the College must be responded to within a month of receipt of the request.

Please note where you have consented to processing of your personal data (specifically the special category data contained in a complaint), you have the right to withdraw your consent at any time.

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk . If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Cookie Privacy Notice

A cookie is a small text file which is placed on your computer or mobile device by your web browser when you access a website. Cookies store information such as user preferences, to allow web applications to offer you a personalised experience and allow us to monitor which pages users find useful so we can improve your website experience.

This statement aims to provide you with information on what cookies are how we use them and how to accept or reject them.

About Cookies

There are two different types of cookies:

Session Cookies: These are created temporarily when a user visits a website. Once the user closes the browser the cookie is deleted.

Persistent Cookies: This type of cookie remains on the user’s device for a certain period of time. The cookie is re-activated when the user returns to the website that set that particular cookie. These cookies can be removed manually.

The UK International Chamber of Commerce categorises cookies as:

  • Strictly necessary cookies: These cookies are essential in order to enable you to move around a website and use its features, such as accessing secure areas of the website.
  • Performance cookies: These cookies collect information about how visitors use a website to help improve the performance of the site, for instance, which pages visitors go to most often. These cookies are anonymous and do not collect personal data that could identify a visitor.
  • Functionality cookies: These cookies provide an enhanced, more personalised experience by storing your preferences such as username or region you are in.
  • Targeting/advertising cookies: These cookies are used to deliver targeted adverts more relevant to you and your interests.
  • No information from cookies can be traced to an individual person, and the cookie only relates to activity on our website.

The information cannot be used for marketing on an individual basis and does not compromise the security of your device.

Please visit www.allaboutcookies.org for further information about cookies.

Edinburgh College Cookies

Google Analytics

Edinburgh College uses Google Analytics to track how our website is being used. This enables us to improve the website to better meet the needs of users.

Cookie Names: _utma, _utmb, _utmc, _utmv _utmz

Google Analytics cookies are present on every page on the website and store information such as the location of the user, how they found the site (search engine, direct link etc,), what pages they have visited and how long they have spent on the site.

This information is anonymous and cannot be traced to an individual.

Share This Content

Users can share information on our website the various social media through the “Share this Content” toolbar.

Cookie Name: _atuvc

The __atuvc cookie is created and read by the AddThis social sharing site JavaScript on the client side in order to make sure the user sees the updated count if they share a page and return to it before our share count cache is updated. No data from that cookie is sent back to AddThis and removing it when disabling cookies would cause unexpected behaviour for users.

Website Accessibility

Users can use the website accessibility features to change the font size, background colour and text colour of pages on the website. This allows for better readability of the website.

Cookie Names: _ecad , _ecbgc , _ectc , _ecfs

These cookies are used to ensure that any changes made are present on all pages on the website. As such, these cookies are present on all pages, but only if the user has specified a custom setting.

Previously Viewed Courses

Users can see their previously visited courses on the right-hand side of any course pages.

Cookie Name: _ecrv

This provides the user with the ability to quickly navigate to one of up to the last three courses that they have viewed on the website. This cookie is only used on Course Pages.

Managing Cookies

If you would prefer cookies not to store data or would like to manage individual cookies, you can do this through your web browser.

Click on the links below for more information on the most popular browsers:

  • Google Chrome
  • Microsoft Internet Explorer
  • Mozilla Firefox
  • Apple Safari
  • Opera
  • iOS
  • Android
  • Blackberry®
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

We are collecting this data to gather information about those attending the event for management and evaluation purposes as well as to ensure any reasonable adjustments are met. 

We will also be taking photos and videos at the Interfaith Week Event for marketing and promotional use on the Edinburgh College social media channels and College report/newsletter. The photos and video taken at the event may also be used as part of future educational material. 

What personal data do we collect?
  • Name
  • Email address and/or Phone number
  • Reasonable adjustments (if submitted) 
  • Photos or videos of those attending during the event – these will be of crowds and groups and identifying information, such as your name, will not be included if they are published. 
How are we collecting this information? What is the source?

Data is collected directly from individuals through the online booking form. Photos/video will be taken during the event itself. 

The lawful basis for the processing

The lawful basis is UK General Data Protection Regulation (UK GDPR) Article 6(1)(f) “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” The legitimate interest is based on the College’s legitimate business interest to record and promote our work. 

A procedure has also been put in place whereby if you object to being recorded then the College will ensure the photographer/videographer does not include you in any image/footage taken.   

Who we share the information with

The College will not share your information with anyone else. However, a selection of photos/images taken at the event will be published online and may be used for educational material.

How long do we hold the personal data?

The College will not hold your data for longer than necessary. Following completion of the event, the College will hold the photos and video recordings for five years, then securely destroy/delete following College procedures. 

Photographic/video images shared on websites and social media will be in general circulation and may be retained in a historical archive indefinitely or permanently. Once photos and videos have been published in the public domain it is difficult to retract and/control any subsequent use by third parties.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. The rights that apply for this particular processing are:

  • Right to be Informed – i.e. a privacy notice.
  • Right of Access – you have the right to access your personal information.
  • Right to Rectification – you have the right to correct inaccurate or incomplete personal information.
  • Right to Erasure – can request your personal data is deleted.
  • Right to Restriction – you can restrict the processing of your information and links with some of the other rights.
  • Right to Object – this means you can object to how your data is used.

Some of the rights only apply in certain circumstances. You can exercise your rights at any time and the College would be required to answer within a month upon receipt of your request. If you wish to exercise your rights or have any queries in relation to this, please contact the Data Protection Team at DataProtection@edinburghcollege.ac.uk.

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk . If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

The information collected is used for marketing and promotional purposes relating solely to EH15 and Apprenticeship Restaurant. We will use your information to contact you via email (where you request this) to advise you of restaurant offers and special promotions relating to Edinburgh College’s EH15 and Apprentice restaurants.

Your feedback scores and any comments you provide will be used by the college’s learning and teaching staff to provide feedback to students and will form part of their assessment material. Please note comment cards are completely anonymised for this purpose.

What personal data do we collect?

The personal information we collect is your forename; surname; email address; postal address; your feedback on your dining experience and any comments you provide; we will also keep a record of your consent to receive promotional information via email where you provide this.

How are we collecting this information? What is the source?

The data is collected from EH15 and the Apprentice Restaurant patron comment cards.

The lawful basis for the processing

The condition for processing personal data for this purpose is Article 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes”

If you wish to withdraw consent to receive direct marketing, please email: Communications@Edinburghcollege.ac.uk

Who we share the information with

Data Processors

We use a third-party provider, Mailchimp (Data Processor) to communicate our promotional offers with you. We also gather statistics around email opening and clicks using agents via MailChimp (sub-processors) to help us monitor and improve our communication. For more information, please see Mailchimp’s Privacy Policy - https://mailchimp.com/legal/privacy

Details of data transfers to any third countries or international organisations

Mailchimp (Data Processor) is a US based company and your information may be transferred to, stored, or processed in the United States. Mailchimp participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework – details of this are available here: https://www.privacyshield.gov/list

How long do we hold the personal data?

We will hold your information for five years from the date of consent. After this time, we will re-contact subscribers to confirm they wish to remain on our mailing lists.

Individuals’ rights in relation to this processing

Under data protection law you have a number of rights regarding how an organisation processes your personal data. You have various rights including:

  • Right to be informed (provided by this Privacy Notice)
  • Right of access to the personal information Edinburgh College holds about you.
  • Right to rectification - To change any personal information that’s wrong, incomplete or out of date.
  • The right to restrict processing – this links with the other rights and if there is an issue you can request that the processing restricted until the issues are resolved
  • The right to object (including to direct marketing – which is an absolute right)
  • The right to erasure (commonly known as the ‘right to be forgotten’) – this means you have the right to request all your data is destroyed
  • The right to data portability – this means you have the right to have your personal data in a machine-readable format (e.g. .csv file) provided to you (or if you request transferred to another organisation).

If you want to know more about your rights, or if you want to contact Edinburgh College to make use one or more of your rights, please email DataProtection@edinburghcollege.ac.uk or phone 0131 297 8663. Please note some of these rights are not absolute and require certain conditions to be met.

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk . If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

This notice relates to data which will be collected by third party partners working with Edinburgh College to offer services and support to students and staff.

Edinburgh College is the Data Controller for the personal data received. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

Edinburgh College students will be signposted to Business Start-up support offered by a range of external partners including, Bridge to Business, The Merchant Company of Edinburgh, Business Gateway Edinburgh, Business Gateway Midlothian, Codebase and the RBS Accelerator. This support could include mentorship programmes, funding opportunities, networking events, workshops and 1:1 support.

Personal data will be collected by these partners directly from you to support individuals to register for activities and support their engagement. They will share some of this personal data with the College to inform them of the engagement with and uptake of the support to allow for programme evaluation.

What personal data do we collect?

We will receive:

  • name
  • age or date of birth,
  • course studying
  • details of the specific support you have engaged with
The lawful basis for the processing

Under data protection legislation, the lawful basis for the College to process the information we receive is UK GDPR Article 6(1)(e) ‘performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

Who we share the information with

After receiving the information from the Business Start-up Support organisation, we do not share this information outside of the college.

How long do we hold the personal data?

Data will be held for one academic year to support programme evaluation.

Individuals’ rights in relation to this processing

Under data protection law, individual have certain right. Some of these rights only apply in certain circumstances. For this specific processing purpose you have the following rights:

  • The right to be informed – i.e., a this privacy notice.
  • The right of access – you can access and receive copies of your data.
  • The right to rectification – you can update/correct inaccurate or incomplete data.
  • The right to erasure – you can request your personal data is destroyed.
  • The right to restriction – you can request the processing of your personal data is restricted.

You can exercise your rights at any time and the College has a month to respond; please contact the Data Protection mailbox (DataProtection@edinburghcollege.ac.uk) and your request will be processed accordingly.

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk.

If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on the ICO website.

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed a Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

As a public authority, Edinburgh College is required to have due regard to the need to:

  • Eliminate unlawful discrimination, harassment and victimisation and other conduct prohibited by the Equality Act 2010.
  • Advance equality of opportunity between people who share a protected characteristic and those who do not.
  • Foster good relations between people who share a protected characteristic and those who do not.

Edinburgh College is also third-party reporting centre for Hate Crime. Therefore, we have a duty to record hate incidents that happen within the business of the College.

Your personal data is collected when you make the College aware of a hate or misogyny incident using the ‘With Details’ report form. The personal data and information you provide will be used to assess and/or investigate the incident, to get in touch with you to obtain more information about the incident and for statistical and analytical purposes.

If you do not wish the College to address the incident directly, nor take any direct action, an anonymous reporting form is also available.

What personal data do we collect?

Personal data

  • Forename and surname
  • Name of individual acting on your behalf (if applicable)
  • Email address
  • Mobile number
  • Gender identity
  • Campus (if applicable)
  • Other relevant information in relation to the incident

Special Category Personal Data

  • Protected Characteristics under the Equality Act 2010
  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Health data, including mental health
  • Sex life or sexual orientation
The lawful basis for the processing

Under data protection law our lawful basis is:

  • UK General Data Protection Regulation (UK GDPR) Article 6 (1) (c) ‘necessary for compliance with a legal obligation’. This includes:
    • The duty to investigate allegations/complaints under The Scottish Public Services Ombudsman Act 2002 (SPSO Act 2002).
    • To prevent discrimination, harassment and victimisation and other conduct prohibited by the Equality Act 2010.
    • Children & Young People (Scotland) Act 2014 part 9; Adult Support & Protection (Scotland) Act 2007; Counter-Terrorism & Security Act 2015.
  • Where we may need to process your data outside of the above and in case of you, or another person being in danger of serious harm, our lawful basis is UK GDPR Article 6 (1) (d) ‘necessary to protect the vital interests of the data subject or another person’.
  • For Special Category data, UK GDPR Article 9 (2) (g) ‘necessary for reasons of substantial public interest using the following conditions in Data Protection Act 2018 (DPA 2018) Schedule 1 Part 2:
    • s6 Statutory etc and Government purposes.
    • s8 Equality of Opportunity or treatment.
    • s10 Preventing or detecting unlawful acts.
    • s18 Safeguarding of children and individuals at risk.
Who we share the information with

Depending on the nature of the incident, your data may be shared with the following teams:

  • Complaints Handling.
  • Human Resources.
  • Learning Development Tutors / Student Experience.
  • Safeguarding.

A relevant employee will proceed with the investigation if deemed necessary and may contact you directly. Further details on how these teams process your personal data will be provided to you and are also available on the College website.

The personal data you provide will be treated with discretion. The College does not share your personal data outside of the College unless you have asked us to or we are required by law.

The College may share your personal data with Police Scotland, Social Services, the NHS and other emergency services if your physical or emotional wellbeing is at risk or if we believe you, or another person are in danger of serious harm.

How long do we hold the personal data?

We will retain your personal data from the report form for up to three years from the date when the report is received and when the incident is addressed, then destroy securely and in line with College procedures.

Individuals’ rights in relation to this processing

The following data protection rights may apply to this processing:

  • The right to be informed – i.e., a privacy notice
  • The right of access – you can access and receive copies of your data held by the College
  • The right to rectification – you can update/correct inaccurate or incomplete data.
  • The right to erasure (commonly known as the ‘Right to be Forgotten’) – you can request your personal data is destroyed.
  • The right to restriction – you can request that the processing of your personal data is restricted.
  • Right to know of any automated decision-making, including profiling – you have the right to know of any automated decision-making and not be subject to a decision made solely on automated processing.

Some of these rights are not absolute and require certain conditions. All requests made to the College will be responded to within a month of receipt of the request.

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk. If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on ICO website.

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

We collect your information for the purpose of processing your application and enrolling you on an Edinburgh College programme of study; and to facilitate your studies at the college (we explain this in more detail below).

We use your information to provide you with accommodation services, cultural activities (e.g. to arrange visits to local attraction), arrange school visits and transport services (e.g. collecting you from the airport).

We specifically need your information:

To process your application to study one of our courses

This will include reviewing your application to see if you have met the entry criteria for a course; evaluating whether the college is able to offer you a place on a course/fulfil a contract of study; and offering a place on an Edinburgh College course where appropriate.

To review any additional support needs you may have

This application form gives you the opportunity to tell the college about any additional support need(s) (including health needs) you may have.

For academic purposes (once you enrol)

To provide you with teaching, learning and support services; to assess your work; record your progress and ensure you receive certificates from awarding bodies like SQA and BTEC. To give you access to learning and teaching tools, Student Support, IT, library, careers, and other college services. To seek your feedback on our courses.

For administrative and financial management services

To administer fees due and paid for by you and to process payment made for other college-related services (for example if you are staying in college accommodation). Edinburgh College works with Western Union to facilitate student payments. When you make your payment via Western Union, Western Union will inform the College of your name and the amount you have paid.

For immigration purposes

To support you with your application for a visa to study in the UK, and to comply with our Tier 4 Sponsor obligations to support immigration control.

To analyse student applications and enrolments for business, planning and equal opportunities purposes

The college analyses student applications and enrolments, including by key protected characteristic groups (including age; disability; gender reassignment; marriage and civil partnership; pregnancy and maternity; race; religion or belief; gender; and sexual orientation) to plan and improve its services and curriculum offering. Analysing applications and enrolments by key protected characteristic groups forms part of the college’s responsibilities under the Public Sector Equality Duty, part of the Equality Act (2010).

What personal data do we collect?

Personal data

  • Name, address, telephone number, email address
  • Date of birth
  • Nationality
  • Next of kin and emergency contact details
  • Employer details
  • Previous education, qualifications and employment history
  • Bank account details
  • Financial information (including family)
  • Course and units of study (including previous courses of study)
  • Assessment information related to your course, including assessment and exam dates and results
  • Disciplinary information
  • Appeals and complaints information
  • Photographic image and footage (CCTV)
  • Your IP Address (your unique online identifier when browsing the internet).
  • Your unique student ID
  • First/preferred language
  • Gender
  • Marital/civil partnership status (*if your visa status is dependent on your partner)

Special Category Personal Data

  • Disability & health data (including mental health)
  • Special interest group status (e.g. asylum seeker; refugee)
  • Passport number and country of domicile
  • Visa information
  • Immigration history
  • Attendance data
How are we collecting this information? What is the source?

When you first apply for a place on an Edinburgh College course, we will collect data about you from your completed application form.

When you formally enrol on a course, we will also ask you for new items of personal information as identified on the list above.

If you are referred by an agent representative, or are being sponsored on your course, we will receive some or all of your personal information directly from your agent or sponsor.

Edinburgh College works with Western Union to facilitate student payments. When you make your payment via Western Union, Western Union will inform the College of your name, your student reference number (from the offer letter sent to you by the college) and the amount you have paid.

The lawful basis for the processing

Under GDPR Article 6(1)(b) “Processing is necessary for the performance of a contract to which the data subject is party to in order to take steps at the request of the data subject prior to entering into a contract.” Is legal basis for processing your personal data (to enrol you as a student at Edinburgh College and deliver the educational experience detailed to you).

For special category (sensitive) personal data, the legal basis is Article 9(2)(b) “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.” The specific social protection law which authorises processing of special category personal data is The Equality Act (2010).

Who we share the information with

For immigration purposes

As a Tier 4 Sponsor Edinburgh College has a responsibility to comply with all aspects of the Immigration Rules and sponsor guidance, and support immigration control, including taking steps to ensure that every student at our institution has permission to study in the UK throughout the whole period of their study. We must co-operate with the Home Office (UK Visas and Immigration) by complying with requests for information, including in connection with the prevention or detection of crime, the administration of illegal working civil penalties and/or the apprehension or prosecution of immigration offenders.

For sponsored programmes

We may be required to provide reports to your financial sponsors to update them about your attendance, progress and welfare.

For students under 18

We may contact your parents or guardians if we have any concerns about your attendance, progress or welfare.

For academic purposes

Such as providing the results of assessments to awarding bodies to enable them to confer you with academic awards (e.g. a HNC, SVQ, BTEC qualification); arranging an industry placement for you as part of your studies.

For democratic purposes

To enable you to vote in Edinburgh College Students’ Association (ECSA) elections, as per your legal right to elected student representation.

Where we place you in accommodation (e.g. halls of residence with a home stay host)

e.g. halls of residence with a home stay host): we will share your personal information (name, age, gender; contact details and special category information dietary requirements, allergies, medical requirements) to facilitate your stay.

Where we arrange transport (e.g. bus passes or taxi transfers)

(e.g. bus passes or taxi transfers) we will share your name and (homestay) address in Edinburgh with the transport provider.

Where we arrange a school visit

We will share you name with the school you are visiting.

Where you are due a refund of fees

If you have paid your fees through Western Union and you are due a refund according to our refund policy, we will share your name, reference number, email address and total to be refunded with Western Union.

Where we have a legal obligation to do so

Edinburgh College is obliged to share limited information on international students with the Scottish Funding Council – the regulatory body for Scottish colleges. This information is limited to your: gender; name; date of birth; postcode; Scottish Candidate Number; how your place on an Edinburgh College course is being funded.

Details of data transfers to any third countries or international organisations

For sponsored programmes

We may be required to provide reports to your financial sponsors to update them about your attendance, progress and welfare – subject to where your sponsor is located this may be outside the EU. Where a sponsor is outside the EU the college ensures appropriate organisational and technical security measures are in place to safeguard your data and that a clear agreement is in place around the security of your information.

Where you pay your fee via Western Union

Edinburgh College works with Western Union to facilitate student payments. When you make your payment via Western Union, Western Union will inform the College of your name, your student reference number (from the offer letter sent to you by the college) and the amount you have paid. Western Union processes your data in the United States. Where Edinburgh College shares your data with Western Union (for the purposes of processing a refund) your personal data will be processed in the United States.

How long do we hold the personal data?

We will keep paper records in relation to you studies for three years after the end of the academic year in which you are studying. Digital information will be held on the college’s systems and student records database in line with college retention and disposal schedules.

Individuals’ rights in relation to this processing

Under data protection law you have a number of rights regarding how an organisation processes your personal data. You have various rights including:

  • Right to be informed (provided by this Privacy Notice)
  • Right of access to the personal information Edinburgh College holds about you.
  • Right to rectification - To change any personal information that’s wrong, incomplete or out of date.
  • The right to restrict processing – this links with the other rights and if there is an issue you can request that the processing restricted until the issues are resolved
  • The right to to object (including to direct marketing – which is an absolute right)
  • The right to erasure (commonly known as the ‘right to be forgotten’) – this means you have the right to request all you data is destroyed
  • The right to data portability – this means you have the right to have your personal data in a machine-readable format (e.g. .csv file) provided to you (or if you request transferred to another organisation).

If you want to know more about your rights, or if you want to contact Edinburgh College to make use one or more of your rights, please email DataProtection@edinburghcollege.ac.uk or phone 0131 297 8663. Please note some of these rights are not absolute and require certain conditions to be met.

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk . If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

Sharing Data with Audit Scotland: National Fraud Initiative

This College is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

On behalf of the Auditor General for Scotland, Audit Scotland appoints the auditor to audit the accounts of the College. It is also responsible for carrying out data matching exercises under the National Fraud Initiative.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This will include personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified but the inclusion of personal data within a data matching exercise does not mean that any specific individual is under suspicion. Where a match is found it indicates that there may be an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out. The exercise can also help bodies to ensure that their records are up to date.

Audit Scotland currently requires Edinburgh College to participate in a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to Audit Scotland for matching. The exact nature of the data supplied is set out in Audit Scotland’s instructions, which can be found at: http://www.audit-scotland.gov.uk/our-work/national-fraud-initiative

The use of data by Audit Scotland in a data matching exercise is carried out under their statutory authority, normally under its powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000. It does not require the consent of the individuals concerned under the Data Protection Act 2018. Data matching by Audit Scotland is subject to a Code of Practice. This may also be found at: http://www.audit-scotland.gov.uk/our-work/national-fraud-initiative

For further information on Audit Scotland’s legal powers and the reasons why it matches particular information, see the full text privacy notice at: http://www.audit-scotland.gov.uk/our-work/nationalfraud-initiative

The lawful basis for the processing

Our legal reason for processing the data is that use is necessary for the performance of a task in the public interest. Article 6, (1), (e)

Special category (sensitive) data: Processing is necessary for reasons of substantial public interest and is authorised by domestic law proportionate to the aim pursued. The legal basis for processing your special category and criminal convictions data is Article 9 (2) (g) substantial public interest, and sections 6, 10, 11, and 12 of schedule 1 to the Data Protection Act 2018.

Individuals’ rights in relation to this processing
  • The right to access your personal data
  • The right to rectification if the personal data we hold about you is incorrect
  • The right to restrict processing of your personal data

The following rights apply only in certain circumstances:

  • The right to withdraw consent at any time if consent is our lawful basis for processing your data
  • The right to object to our processing of your personal data
  • The right to request erasure (deletion) of your personal data
  • The right to data portability
Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk . If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

We collect your personal data for the following purposes:

To enrol your child on Edinburgh College’s STEM Inspiration Experience day

This will include enrolling your child on Edinburgh College’s Student Record System to enable them to participate in the STEM Inspiration Experience day. The college is also required to keep a record that your child attended the STEM Inspiration Experience Day, as required by the Scottish Funding Council for funding and audit purposes.

To maintain a register of pupils who attended on the day (for health and safety purposes)

This is to ensure the college has an accurate list of pupils who are physically on campus during a STEM Inspiration Experience day (for health and safety purposes).

To maintain a register of school staff who are on campus during the day

Teaching staff and pupil support assistants who are accompanying pupils during the day will be asked to enter their details on to the college’s visitors’ book.

To analyse student participation in the STEM Inspiration Experience for business, planning and equal opportunities purposes

The college analyses student enrolments to plan and improve its services and curriculum offering. Analysing STEM enrolments by gender (to consider any gender imbalance in STEM participation) forms part of the college’s responsibilities under the Public Sector Equality Duty, part of the Equality Act 2010. The college will also analyse enrolments to establish if pupils who participate in a STEM Experience Inspiration day ultimately choose to enrol at Edinburgh College upon leaving secondary education.

To publicise and promote the STEM Inspiration Experience (but only where we have your consent to do so)

The college will also ask for your consent to use photographic and video footage of your child during their participation in the STEM Inspiration Experience. The college will not gather this footage unless we have your consent to do so in advance. We explain how we ask for your consent (and how you can withdraw consent if you later wish to do so) below.

What personal data do we collect?
  • Name
  • Date of birth
  • Gender
  • School postcode
  • Image & video footage (only with consent – see below)
How are we collecting this information? What is the source?

Once you give your permission for your child to participate in a STEM Inspiration Experience day we will automatically collect their name, date of birth and gender, directly from your school, who will supply it to the college via email in a password-protected spreadsheet.

We will separately ask for your consent to take and use photographs and footageof your child via a specific consent form provided to you via your child’s school. This form also includes a privacy notice explaining how the images/footage will be used in the event that you provide consent.

The lawful basis for the processing

Enrolment on STEM Inspiration Experience

For the processing of your personal data in order to enrol your child on a STEM Inspiration Experience day and enable their participation in this educational experience, the lawful basis is GDPR Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. The specific law authorising this is the Post-16 Education (Scotland) Act 2013.

Sharing of required enrolment data by your child’s school

Where your child’s data are shared with Edinburgh College, by their school, the lawful basis is GDPR Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. The specific law authorising this is the Education (Scotland) Act 1980.

Photography and filmed footage for Edinburgh College promotional purposes

Where the college uses photographic images or video footage of your child participating in a STEM Inspiration Experience day, this will only be where you have provided consent. The lawful basis is GDPR Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”. If you have given consent to photography/filming, and wish to withdraw that consent, please email: communications@edinburghcollege.ac.uk

Who we share the information with

Data Controllers: 

The college shares your information with the following data controller:

Scottish Funding Council: the college is required to provide your child’s name; date of birth; gender; and the postcode of their school to the Scottish Funding Council in line with their requirements for all pupils/students taking part in activities/programmes at Scottish colleges.

Data processors:

The college uses the following data processors to process your personal information:

Unit-E (Edinburgh College’s Student Record System) is provided by a third party. The student record system is hosted by Edinburgh College and sits within the college’s technical controls. Microsoft (Reporting functions) are used to report on data supplied.

How long do we hold the personal data?

Paper attendance registers, and personal data held on the college’s Student Record System will be deleted six years after the end of the current academic year (2019/2020).

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice); right of access; right of rectification; right of erasure (commonly known as the right to be forgotten); right to restrict processing; right to object; right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing and the College would be required to process your request in one month.

The rights that apply for this particular processing are:

  • Right to be informed – this privacy notice addresses this.
  • Right of access – you can request access and copies of your personal data held by the college. To do this, please email the DataProtection@edinburghcollege.ac.ukand your request will be processed accordingly.
  • Right to rectification – you can request that inaccurate or incomplete personal data is rectified.
  • Right to Erasure (this right is not absolute and is subject to specifics of the request).
  • Right to object (including to direct marketing).
Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk . If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk  

Why are we collecting it and what are we doing with it (Purpose)?

The purpose of the Exit Interview Questionnaires is to understand reasons for leaving and to help feedback and improve any College services. HR will store and use the data to analyse trends and monitor statistics. The questionnaire will also be used (with personal data redacted) for the purposes of providing high level reports to the Executive Team and Senior Management Team. There is the opportunity to have a 1-2-1 with HR following the completion of the questionnaire. Any additional data collected through the interview will be recorded within the questionnaire. 

What personal data do we collect?

Personal data

  • Name 
  • Start and end dates of employment
  • Job title
  • Your personal opinions on your employment at the College 
The lawful basis for the processing

The legal basis for processing under UK GDPR Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”.  

Who we share the information with

As referenced earlier data will be anonymised for the purposes of providing high level reports to the Executive Team and Senior Management Team. Additional consent will be sought for sharing information with your Line Manager.  

iTrent is used for this process and therefore the provider of iTrent, Midland HR, is a processor, there is appropriate documentation in place for this. Midland HR (providers of iTrent, HR system) process data only for the purposes of maintaining and upgrading the HR system and resolving technical queries. Edinburgh College hosts the iTrent application and database internally. Further details are contained in the college’s employment privacy notice. 

How long do we hold the personal data?

The college will hold the data for 7 years then the data will be securely destroyed following college procedures. 

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. Your rights are:  

  • Right to be informed (e.g. privacy notice),  
  • right of access,  
  • right of rectification,  
  • right of erasure (commonly known as the right to be forgotten), 
  • right to restrict,  
  • right to object – for this purpose, the right to object does not apply. 
  • right to data portability, and  
  • the right to know of any automated decision making (including profiling)The College does not process data in this way.  

It’s worth noting that you can exercise your rights either or in writing and the College will respond no later than one month. 

It’s important to note that as the lawful basis for this processing is consent, that the consent can be withdrawn at any time. If you want to withdraw your consent for this purpose please email: HREnquiries@edinburghcollege.ac.uk  

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk  If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/  

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address: 

Customer Contact 

Information Commissioner's Office 

Wycliffe House 

Water Lane 

Wilmslow, SK9 5AF

Privacy Notice for Progressing Students

Edinburgh College is providing you with this information to comply with data protection law and to ensure that you are fully informed and we are transparent in how we collect and use your personal data.

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

We collect your personal data for the following purposes:

To process your application to study one of our courses

This will include reviewing your application to see if you have met the entry criteria for a course; and offering a place on an Edinburgh College course where appropriate (some courses will require you to attend an interview).

Where you accept an offer of a place on an Edinburgh College course we will use your information to provide you with a timetable; provide you with other essential information required to begin your studies, and to invite you to a registration event.

If your course requires you to have a Protecting Vulnerable Groups (PVG) check we will use the information you have supplied to arrange this with you directly.

To review your student funding and childcare funding eligibility

When you have been offered a place on an Edinburgh College course, if you choose to apply for funding, the college’s Student Funding Team will review your course and funding applications, and use the information provided about your education, location and personal circumstances to consider whether you are eligible for student funding support.

When you accept an offer of a place on a Further Education (FE) course at Edinburgh College you will have the opportunity to apply for student funding on the EMA/Bursary and Childcare funding sections of the application website. If you choose to apply for funding you will receive an email asking you for documentary evidence to support your application. This email will give you instructions on how to supply this and about what will happen next. (Please note childcare funding can only be awarded for registered childcare costs whilst you are attending classes).

If you accept a place on a Higher Education (HE) course you will have the opportunity to apply for childcare funding on the funding application website. If you choose to apply for funding you will receive an email asking you for documentary evidence to support your application. This email will give you instructions on how to supply this and about what will happen next. (Please note childcare funding can only be awarded for registered childcare costs whilst you are attending classes).

To arrange payment of course fees

If you or your employer are paying for your course of study, the college will contact you separately to request further information, including bank details (for example).

If you are eligible for a fee waiver, and have been offered a place on an Edinburgh College course, the college will collect further information and evidence from you separately – this will either be through the course application system, or directly from you.

If you have applied for an Individual Training Account to part pay your course fees you will be asked to provide the college with proof of income in the form of a P60 or your last three months’ payslips.

To analyse student applications for business, planning and equal opportunities purposes

The college analyses student applications, including by key protected characteristic groups (including age; disability; gender reassignment; marriage and civil partnership; pregnancy and maternity; race; religion or belief; gender; and sexual orientation) to plan and improve its services and curriculum offering. Analysing applications by key protected characteristic groups forms part of the college’s responsibilities under the Public Sector Equality Duty, part of the Equality Act 2010. This information (where you choose to supply it) will not be used in any selecting or allocating process.

To keep in touch with you about wider college activities (for marketing purposes)

The college will inform you about the essential information you will need to begin your course. However, the college would also like to keep in touch with you, before you start your course, about wider events and activities across the college beyond your course of study – we will always ask for your consent to send you this additional information, and if you consent, you can withdraw this at any time by emailing Marketing@edinburghcollege.ac.uk

To meet our responsibilities in relation to your school, local authority, and Skills Development Scotland

If you have been referred to the college by a local authority or local authority support service we will share basic information about the status of your application with that local authority/local authority support service. This will be limited to the status/progress of your application.

We will share your personal data with other third parties (for example a parent or guardian if you are 16 or over) only where we have your consent.

The college is required to provide certain information on “young people” (individuals aged 15 to 25) to Skills Development Scotland (SDS), to enable SDS to a). monitor that young person’s involvement in education or training; b) provide advice or support with regard to that young person’s training. This is explained in our information sharing section below.

What personal data do we collect?

Personal data

  • Name, primary & term address, telephone number, email address
  • Date of birth
  • Nationality
  • Next of kin and emergency contact details
  • Method of course payment (if applicable)
  • National Insurance Number (Modern Apprentices; ESF-funded students; ITA-funded students only)
  • Previous education (including Scottish Candidate Number), qualifications and employment history
  • Employment status (e.g. jobseeker) and history
  • Skills & experience (personal statement)
  • UK Visa status
  • Your IP Address (your unique online identifier when browsing the internet)
  • Method of payment
  • If you are a carer or have caring responsibilities
  • Care experienced/looked after background status (if applicable)
  • First/preferred language
  • Residency information/date & reason of entry to UK/EU
  • Veteran status

Special category data (only where you provide this; or it is required by law*)

  • Gender (and gender identity)
  • Sexual orientation
  • Religion or religious denomination
  • Ethnicity
  • Disability & health data (including mental health)
  • Marital/civil partnership status
  • Pregnancy and maternity information
  • Special interest group status (e.g. asylum seeker; refugee; stateless person; person with profound or complex needs)
  • *Offences and alleged offences (for the purposes of PVG checks where required)
  • *Criminal proceedings, outcomes and sentences (for the purposes of PVG checks where required)

 

How are we collecting this information? What is the source?

We collect this information directly from you through the college’s application form (or directly from you, after you have submitted your application, in the circumstances explained below):

If your course of study requires you to be subject to a PVG check we will collect further details directly from you, following submission of your application.

If you apply for student funding we will use information from your application (name; date of birth; gender; address and course details) and collect additional information from you through the Student Funding Application Form – we will explain how we use that information in a separate privacy notice provided to you at that time.

Where we need further information around the payment of your course fees, or your exemption from paying course fees, we will collect this information from you separately. (Please note, fee-waiver evidence will be collected through the college’s application form for certain courses).

If you enrol on an Edinburgh College course we will confirm the information you have provided via our self-enrolment form (you will be provided with a link to our 'enrolled students' privacy notice at that point).

The lawful basis for the processing

For processing of your personal data in order to process your application, the lawful basis is GDPR Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. The specific law authorising this is the Post-16 Education (Scotland) Act 2013.

Where your special category personal data are processed, the lawful basis is GDPR Article 9(2)(g) “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.

Where the college processes your special category data specifically to provide learning support, the specific law authorising this is the Post-16 Education (Scotland) Act 2013.

Where applicants’ special category demographic information (gender identity, sexual orientation, race, ethnicity) are processed for the purposes of analysis in order to advance equality of opportunity and treatment for all student groups, the specific law authorising this is the Equalities Act 2010 (but only where you’ve chosen to supply this information).

Where your personal data are shared with your school or local authority for the purposes of updating them on your application status, the specific law authorising this is the Education (Scotland) Act 1980.

Where your personal data are shared with Skills Development Scotland, the specific law authorising this is the Post-16 Education (Scotland) Act 2013 and specifically the Young People's Involvement in Education and Training (Provision of Information) (Scotland) Order 2014.

Who we share the information with

The college shares your information with the following data controllers:

Your local authorities and/or school (where you are a school leaver, or have been referred to the college via a local authority department or support service)

Skills Development Scotland: if you are aged 15-25 the college is required to provide the following information to Skills Development Scotland via a secure data hub: your name, address, telephone number, date of birth, Scottish Candidate Number; course information (including start and end date); application/enrolment status; course withdrawal or completion information.

Data Processors: The college uses the following data processors to process your personal information:

Unit-E and CAMS are provided by third party suppliers, to process student applications and student funding applications. Microsoft (Reporting functions) are used to report on data supplied. These are hosted by Edinburgh College and sit within the college’s technical controls.

How long do we hold the personal data?

Paper application forms deleted after seven years; personal data will remain on the college’s Student Record System in line with the college’s retention schedule.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice); right of access; right of rectification; right of erasure (commonly known as the right to be forgotten); right to restrict processing; right to object; right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing and the College would be required to process your request in one month.

The rights that apply for this particular processing are:

  • Right to be informed – this privacy notice addresses this.
  • Right of access – you can request access and copies of your personal data held by the college. To do this, please email the DataProtection@edinburghcollege.ac.ukand your request will be processed accordingly.
  • Right to rectification – you can request that inaccurate or incomplete personal data is rectified.
  • Right to Erasure (this right is not absolute and is subject to specifics of the request).
  • Right to object (including to direct marketing). The right to object to direct marketing is absolute and will be responded to accordingly.
  • Right to data portability (this right is not absolute and is subject to specifics of the request).
Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk.

If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College has appointed a named Data Protection Officer (DPO), Lizi Bird, who can be contacted by emailing DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

We are collecting your information to process your application to do a course in the School of Art and Design. The application process requires you to submit a portfolio of examples of your Art and Design work, so delivery staff can review your portfolio. You will then be invited to a portfolio review to assess your suitability for the course. 

The portfolio you submit will be stored securely and only accessed by certain staff. 

What personal data do we collect?

Personal data

  • Name
  • Course applied for
  • Digital and/or physical portfolio
  • Personal Opinions contained within portfolio and noted at an in-person portfolio review
The lawful basis for the processing

Under data protection law the legal basis for the College in processing your personal data is GDPR Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” The Post-16 Education (Scotland) Act 2013 and the Further and Higher Education (Scotland) Acts 1992 and 2005 require the College to provide quality fundable courses and this is one of the College’s core public tasks. 

Who we share the information with

The College does not share your application and portfolio information with anyone external to the College, unless there is a legal requirement to do so. The College does use third party software providers, for example Microsoft Teams, in those instances appropriate contractual agreements are in place to protect your information.

How long do we hold the personal data?

The College will not hold your data for longer than necessary. Following the completion of interviews for the academic year, the department will hold the digital portfolio for six months, then securely destroy/delete following College procedures.

We may ask to keep your portfolio to use as an example for future students. We will contact you directly to ask your permission and the portfolio would be anonymised and personal information – for example scans of qualifications would be removed.

Individuals’ rights in relation to this processing

Under data protection law, individuals have certain rights. Some of these rights only apply in certain circumstances. For this specific processing purpose as well as the right to be informed, you have the following rights: 

  • Right of access – this means you have the right to access and/or receive a copy of the personal data the college holds about you 
  • Right to rectification – this means you have the right to correct incorrect or incomplete data held about you 
  • Right to erasure – this means you have a right to request data about you is deleted/destroyed; we may not always be able to do this dependant on other legal retention requirements for the data
  • Right to restrict processing – this means you have the right for the processing to be restricted and normally will link with one of the other rights, for example rectification 
  • Right to object – this means you can object to the way your data is being processed. 
  • Rights in relation to automated individual decision making, including profiling – currently the College does not process data in this way 

You can exercise any of your rights at any time and the College has a month to respond. To exercise a right, please contact the Data Protection mailbox DataProtection@edinburghcollege.ac.uk and your request will be processed accordingly. 

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk.

If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO) who can be contacted by emailing: dataprotection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

We are collecting this data to gather information about those attending the event for management and evaluation purposes. We are also collecting data for marketing and promotional use on the Edinburgh College website and social media channels. The photos and video taken at the event will also be shared with the Construction Industry Training Board (CITB) for them to use in their promotional material.

What personal data do we collect?

We collect the following information about people attending the event:

  • Name
  • Date of Birth
  • Email address
  • School name
  • Town/city of residence
  • Photograph
  • Video
How are we collecting this information? What is the source?

Data is collected both directly from individuals through the online booking form and from external sources. External sources include the CITB and local school contacts through the Edinburgh College Schools team.

The lawful basis for the processing

The lawful basis is GDPR Article 6(1)(f) “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” The legitimate interest is based on the College’s legitimate business interest to record and promote our work. We will inform you that we will be capturing and using your image and make this privacy statement available to you.

A procedure has also been put in place whereby if you object to being recorded then the College will provide you with a lanyard at registration to ensure you are not captured in the photos or video taken at the event.

Who we share the information with

The College shares your information with the following data controller.

Construction Industry Training Board (CITB): The College will share the photos and video taken at the event with CITB for use in their marketing materials via a secure link.

How long do we hold the personal data?

The College will not hold your data for longer than necessary. Following completion of the event, the College will hold the photos and video recordings for five years, then securely destroy/delete following College procedures.

Photographic/video images shared on websites and social media will be in general circulation and may be retained in a historical archive indefinitely or permanently.

International data transfer and publication

The UK GDPR restricts the transfer of personal data to countries outside the UK, or international organisations. Transfer is restricted in this way because once data is transferred it may not be subject to the UK GDPR and you will lose the ordinary UK GDPR protections and rights. Once the data has been transferred it may be subject to other local data protection laws in the receiving country – or no data protection law at all, if no such law exists in the receiving country. Once data has been published in the public domain it is difficult to retract and/or contain.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. Your rights are:

  • right to be informed (e.g. privacy notice),
  • right of access,
  • right of rectification,
  • right of erasure (commonly known as the right to be forgotten),
  • right to restrict processing,
  • right to object,
  • right to data portability and
  • the right to know of any automated decision making (including profiling).

It’s worth noting that you can exercise your rights either verbally or in writing and the College would be required to process your request in one month.

The rights that apply for this particular processing are:

  • Right to be Informed – i.e. a privacy notice.
  • Right of Access – this means you have the right to access your personal information.
  • Right to Rectification – this means you have the right to correct inaccurate or incomplete personal information.
  • Right to Erasure – commonly known as the Right to be Forgotten (RTBF) – this means you can request your personal data is deleted.
  • Right to Data Portability – this means you have the right to request your information in a machine-readable format (e.g. a .csv file) to be provided to you or transferred in that format to another organisation.
  • Right to Restriction – this means you can restrict the processing of your information and links with some of the other rights.
  • Right to Object – this means you can object to how your data is used.

Some of the rights above have caveats and only apply in certain circumstances. You can exercise your rights at any time and the College would be required to answer within a month upon receipt of your request. If you wish to exercise your rights or have any queries in relation to this, please contact the Data Protection Team at DataProtection@edinburghcollege.ac.uk.

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk. If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website.

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

Who is collecting the information?

Edinburgh College is the Data Controller for the information processed by the College. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

SilverCloud Health is the provider of the SilverCloud platform.

Why are we collecting it and what are we doing with it (Purpose)?

SilverCloud is a digital platform used to provide online packages of mental health and wellbeing support for individuals. It is provided by SilverCloud Health. SilverCloud can be used by Edinburgh College Students and Staff. Your personal data is used to enable you to sign up to and access the available resources.

Your personal data is also used, with your agreement, by Edinburgh College Wellbeing staff to contact students to offer an introductory session to the platform. The College’s Occupational Health (OH) Nurse may also make available, to staff with certain health conditions, hidden resources on the platform relating to that specific condition.

What personal data do we collect?

Edinburgh College will not collect your personal data directly for the purpose of you accessing SilverCloud.

If you are a student and you agree on sign-up to receive support to access the platform, your name and contact details will be shared by SilverCloud with the Wellbeing Team so they can get in touch. If you are a member of Staff who wishes to access specialised resources, the OH Nurse will use your email address to allow access.

Further personal data will be processed by SilverCloud directly. The type of personal data will depend on how you use the resources available on SilverCloud; this may include special category personal data, such as health data. Please refer to their Privacy Notice for further information: https://uk.silvercloudhealth.com/help/privacy/

Administrators at Edinburgh College will have access, via the SilverCloud platform, to anonymised usage and evaluation information for reporting purposes only.

The lawful basis for the processing

Students: Edinburgh College is providing the health and wellbeing service as part of its duty of care to students as set out in the Post-16 Education (Scotland) Act 2013 and the Further and Higher Education (Scotland) Act 2005. Therefore, for the information directly processed by the College, the lawful basis for processing is

  • Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject
  • Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

 

Staff: Edinburgh College is providing a health and wellbeing service as part of its duty of care to its employees under Employment law, including Employment Rights Act 1996. Therefore, for the information directly processed by the College, the lawful basis for processing is

  • Article 6(1)(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”

 

However, as Edinburgh College does not ‘refer’ students or staff to this service; nor receive data on who specifically uses it; and because users have a genuine choice as to whether to use this self-help tool, it is believed that the lawful basis for processing personal data, and special category data, in this instance, would be:

  • Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purpose”
  • Article 9(2)(a) “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes…”.
Who we share the information with

The majority of your personal data, for this service, will be processed by SilverCloud Health (third party), the provider of the SilverCloud platform and a ‘data processor’ for Edinburgh College.

We may also need to share your personal data outside of the College if required to do so by law.

How long do we hold the personal data?

If a student wishes to receive support to use SilverCloud, their name and contact details will be retained by the Edinburgh College Wellbeing team for the current academic year then securely deleted.

Personal data and any special category personal data provided by students or staff on the SilverCloud platform will be retained by SilverCloud Health for the duration of the contract with Edinburgh College, then it will be securely deleted.

Individuals’ rights in relation to this processing

Under data protection law, individuals (data subjects) have a number of rights. Some of these are not absolute, and certain requirements need to be met for them to apply. The full list of rights individuals have are:

  • Right to be informed (i.e., this privacy notice)
  • Right of access – you have the right to access (and have a copy) to the personal data held about by the college
  • Right to rectification – you have the right to request inaccurate or incomplete data held about you is corrected
  • Right of erasure – commonly known as the right to be forgotten (RTBF), you can request an organisation deletes the personal data they hold about you
  • Right of restriction – you can request the processing of your data is restricted
  • Right to object – you have a right to object to the processing activity
  • Right to data portability – you can request an organisation provides your data in a machine-readable file e.g. .csv file and transfer that to another organisation
  • Right to know if your data is subject to any automated decision making, including profiling – the college does not do this with staff or student data.

In addition, where you have consented to the use of your personal data, you have a right to withdraw your consent at anytime.

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk .

If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

Who is collecting the information?

Edinburgh College has appointed a named Data Protection Officer (DPO), Lizi Bird, who can be contacted by emailing DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

We collect your personal data for the following purposes:

To process your application to study one of our courses

This will include reviewing your application to see if you have met the entry criteria for a course; and offering a place on an Edinburgh College course where appropriate (some courses will require you to attend an interview).

Where you accept an offer of a place on an Edinburgh College course we will use your information to provide you with a timetable; provide you with other essential information required to begin your studies, and to invite you to a registration event.

If your course requires you to have a Protecting Vulnerable Groups (PVG) check we will use the information you have supplied to arrange this with you directly.

To review your student funding and childcare funding eligibility

When you have been offered a place on an Edinburgh College course, if you choose to apply for funding, the college’s Student Funding Team will review your course and funding applications, and use the information provided about your education, location and personal circumstances to consider whether you are eligible for student funding support.

When you accept an offer of a place on a Further Education (FE) course at Edinburgh College you will have the opportunity to apply for student funding on the EMA/Bursary and Childcare funding sections of the application website. If you choose to apply for funding you will receive an email asking you for documentary evidence to support your application. This email will give you instructions on how to supply this and about what will happen next. (Please note childcare funding can only be awarded for registered childcare costs whilst you are attending classes).

If you accept a place on a Higher Education (HE) course you will have the opportunity to apply for childcare funding on the funding application website. If you choose to apply for funding you will receive an email asking you for documentary evidence to support your application. This email will give you instructions on how to supply this and about what will happen next. (Please note childcare funding can only be awarded for registered childcare costs whilst you are attending classes).

To arrange payment of course fees

If you or your employer are paying for your course of study, the college will contact you separately to request further information, including bank details (for example).

If you are eligible for a fee waiver, and have been offered a place on an Edinburgh College course, the college will collect further information and evidence from you separately – this will either be through the course application system, or directly from you.

If you have applied for an Individual Training Account to part pay your course fees you will be asked to provide the college with proof of income in the form of a P60 or your last three months’ payslips.

To review any additional support needs you may have

This application form gives you the opportunity to tell the college about any additional support need(s) you may have. The Learning Support Team contacts applicants who indicate an additional support need to provide them with information about learning support at college. This information is not used in any selection or allocation process.

To analyse student applications for business, planning and equal opportunities purposes

The college analyses student applications, including by key protected characteristic groups (including age; disability; gender reassignment; marriage and civil partnership; pregnancy and maternity; race; religion or belief; gender; and sexual orientation) to plan and improve its services and curriculum offering. Analysing applications by key protected characteristic groups forms part of the college’s responsibilities under the Public Sector Equality Duty, part of the Equality Act 2010. This information (where you choose to supply it) will not be used in any selecting or allocating process.

To keep in touch with you about wider college activities (for marketing purposes)

The college will inform you about the essential information you will need to begin your course. However, the college would also like to keep in touch with you, before you start your course, about wider events and activities across the college beyond your course of study – we will always ask for your consent to send you this additional information, and if you consent, you can withdraw this at any time by emailing Marketing@edinburghcollege.ac.uk

To meet our responsibilities in relation to your school, local authority, and Skills Development Scotland

If you are a “school leaver” (you are due to leave school and are applying for a college place whilst still at school) we will share basic information about the status of your application with Skills Development Scotland and in certain cases with school guidance teachers. This will be limited to the status/progress of your application.

If you have been referred to the college by a local authority or local authority support service we will share basic information about the status of your application with that local authority/local authority support service. This will be limited to the status/progress of your application.

We will share your personal data with other third parties (for example a parent or guardian if you are 16 or over) only where we have your consent.

The college is required to provide certain information on “young people” (individuals aged 15 to 25) to Skills Development Scotland (SDS), to enable SDS to a). monitor that young person’s involvement in education or training; b) provide advice or support with regard to that young person’s training. This is explained in our information sharing section below.

What personal data do we collect?

Personal data

  • Name, primary & term address, telephone number, email address
  • Date of birth
  • Nationality
  • Next of kin and emergency contact details
  • Method of course payment (if applicable)
  • National Insurance Number (Modern Apprentices; ESF-funded students; ITA-funded students only)
  • Previous education (including Scottish Candidate Number), qualifications and employment history
  • Employment status (e.g. jobseeker) and history
  • Skills & experience (personal statement)
  • UK Visa status
  • Your IP Address (your unique online identifier when browsing the internet)
  • Method of payment
  • If you are a carer or have caring responsibilities
  • Care experienced/looked after background status (if applicable)
  • First/preferred language
  • Residency information/date & reason of entry to UK/EU
  • Veteran status

Special category data (only where you provide this; or it is required by law*)

  • Gender (and gender identity)
  • Sexual orientation
  • Religion or religious denomination
  • Ethnicity
  • Disability & health data (including mental health)
  • Pregnancy and maternity information
  • Special interest group status (e.g. asylum seeker; refugee; stateless person; person with profound or complex needs)
  • *Offences and alleged offences (for the purposes of PVG checks where required)
  • *Criminal proceedings, outcomes and sentences (for the purposes of PVG checks where required)

 

How are we collecting this information? What is the source?

We collect this information directly from you through the college’s application form (or directly from you, after you have submitted your application, in the circumstances explained below):

If your course of study requires you to be subject to a PVG check we will collect further details directly from you, following submission of your application.

If you apply for student funding we will use information from your application (name; date of birth; gender; address and course details) and collect additional information from you through the Student Funding Application Form – we will explain how we use that information in a separate privacy notice provided to you at that time.

Where we need further information around the payment of your course fees, or your exemption from paying course fees, we will collect this information from you separately. (Please note, fee-waiver evidence will be collected through the college’s application form for certain courses).

If you enrol on an Edinburgh College course we will confirm the information you have provided via our self-enrolment form (you will be provided with a link to our enrolled students’ privacy notice at that point).

The lawful basis for the processing

For processing of your personal data in order to process your application, the lawful basis is GDPR Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. The specific law authorising this is the Post-16 Education (Scotland) Act 2013.

Where your special category personal data are processed, the lawful basis is GDPR Article 9(2)(g) “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.

Where the college processes your special category data specifically to provide learning support, the specific law authorising this is the Post-16 Education (Scotland) Act 2013.

Where applicants’ special category demographic information (gender identity, sexual orientation, race, ethnicity) are processed for the purposes of analysis in order to advance equality of opportunity and treatment for all student groups, the specific law authorising this is the Equalities Act 2010 (but only where you’ve chosen to supply this information).

Where your personal data are shared with your school or local authority for the purposes of updating them on your application status, the specific law authorising this is the Education (Scotland) Act 1980.

Where your personal data are shared with Skills Development Scotland, the specific law authorising this is the Post-16 Education (Scotland) Act 2013 and specifically the Young People's Involvement in Education and Training (Provision of Information) (Scotland) Order 2014.

Who we share the information with

The college shares your information with the following data controllers:

Your local authorities and/or school (where you are a school leaver, or have been referred to the college via a local authority department or support service)

Skills Development Scotland: if you are aged 15-25 the college is required to provide the following information to Skills Development Scotland via a secure data hub: your name, address, telephone number, date of birth, Scottish Candidate Number; course information (including start and end date); application/enrolment status; course withdrawal or completion information.

Data processors: The college uses the following data processors to process your personal information:

Unit-E and CAMS are provided by third party suppliers, to process student applications and student funding applications. Microsoft (Reporting functions) are used to report on data supplied. These are hosted by Edinburgh College and sit within the college’s technical controls.

How long do we hold the personal data?

Application data will be deleted from our systems after 7 years.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice); right of access; right of rectification; right of erasure (commonly known as the right to be forgotten); right to restrict processing; right to object; right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing and the College would be required to process your request in one month.

The rights that apply for this particular processing are:

  • Right to be informed – this privacy notice addresses this.
  • Right of access – you can request access and copies of your personal data held by the college. To do this, please email the DataProtection@edinburghcollege.ac.ukand your request will be processed accordingly.
  • Right to rectification – you can request that inaccurate or incomplete personal data is rectified.
  • Right to Erasure (this right is not absolute and is subject to specifics of the request).
  • Right to object (including to direct marketing). The right to object to direct marketing is absolute and will be responded to accordingly.
  • Right to data portability (this right is not absolute and is subject to specifics of the request).
Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk.

If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?
  • To enrol you onto your course and add you to our college system - although you are still enrolled at your school, for the College to be able to claim funding for the course you are attending, we need to know who will be on the course and collect certain details from you. 
  • To support teaching and learning – this may involve monitoring how well you are doing on your course through assessments and examinations; providing you with access to learning and teaching tools (including online tools); enabling you to communicate with staff and fellow pupils; seeking your feedback; dealing with any issues or complaints; and telling you about events related to your learning.
  • To meet our duty of care to you and other legal obligations – including health and safety and safeguarding laws; to ensure reasonable adjustments are in place where you have declared you have a disability; to protect your vital interests or someone else’s e.g. in a medical emergency; to monitor equality of opportunity and eliminate unlawful discrimination under the UK Equality Act 2010.
  • For public safety and the prevention and detection of crime – we use CCTV on our campuses; we monitor use of IT facilities; and we apply security and welfare measures for the safety and security of students and the wider College community under health and safety and other relevant laws.
  • To analyse student applications for business, planning and equal opportunities purposes - the college analyses student applications, including by key protected characteristic groups (including age; disability; gender reassignment; race; religion or belief; gender; and sexual orientation) to plan and improve its services and curriculum offering. Analysing applications by key protected characteristic groups forms part of the college’s responsibilities under the Public Sector Equality Duty, part of the Equality Act 2010. This information (where you choose to supply it) will not be used in any selecting or allocating process.
  • To meet our responsibilities in relation to your school and local authority, and Skills Development Scotland - we will share basic information with your School and local authority (for example City of Edinburgh Council; Midlothian and East Lothian councils). 
  • To promote the college - we may take photographs, and other images and recordings of students for possible use in our publicity and promotional material in print and online on our websites and social media. We may also inform you about college services and college events or other direct marketing purposes. 
What personal data do we collect?

Personal data is information which identifies you, and also relates to your life (whether that’s your home life, education, business or job). Some of your personal data (like your health information, religion, or ethnicity) is more sensitive – this is called “special category data”. 

Personal data

  • Name, address, telephone number, email address
  • Date of birth
  • Nationality
  • Next of kin and emergency contact details
  • School year at start of next academic session (i.e. S4, S5 or S6)
  • Course and units of study (including previous courses of study)
  • Assessment information related to your course, including assessment and exam dates and results
  • Appeals and complaints information
  • Attendance data
  • Your unique student ID
  • If you are a carer or have caring responsibilities
  • Care experienced/looked after background status (if applicable)
  • First/preferred language
  • Evidence to support Alternative Assessment Arrangements (including examinations).
  • Your IP Address (your unique online identifier when browsing the internet).

Special category data (only where you provide this; or it is required by law)

  • Gender (and gender identity)
  • Sexual orientation
  • Religion or religious denomination
  • Ethnicity
  • Disability & health data (including mental health); additional support need information
  • Medical information and medication administration information
  • Special interest group status (e.g. asylum seeker; refugee; stateless person; person with profound or complex needs).
How are we collecting this information? What is the source?

We collect the majority of information directly from you through the college’s Direct Enrolment application form. We may also receive relevant information about you from your School/Local Authority.

The lawful basis for the processing

For everything we do with personal data, we are required to identify a ‘lawful basis’; these are listed in the UK General Data Protection Regulation (UK GDPR)

To enrol you and use your personal data whilst you are on your course, the lawful basis is UK GDPR Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” or for certain circumstances 6(1)(c) “processing is necessary for compliance with a legal obligation”. 

Where your special category personal data are processed, the lawful basis is UK GDPR Article 9(2)(g) “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”, alongside a condition from Schedule 1, part 2 of the Data Protection Act 2018, in this case section 6 “Statutory etc and government purposes”.

We may also use your personal information where we need to protect your, or someone else’s, vital interests (e.g. if you are unwell and an ambulance is required; or if we have a safeguarding concern about a student). In this case, UK GDPR Article 6(1)(d) “processing is necessary in order to protect the vital interests of the data subject or of another natural person” would apply.

Where you have provided your consent for use of image/footage of you; or where we’ve asked you if you’re interested in receiving direct marketing, the lawful basis is UK GDPR 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”. You can withdraw your consent for this at any time by contacting: marketingteam@edinburghcollege.ac.uk

Who we share your information with
  • Your local authority and/or school (for example: City of Edinburgh Council; Midlothian Council; East Lothian Council). This is provided through a secure ‘schools tracker’.
  • The government or its agencies, including the Scottish Funding Council (SFC), and other official bodies to submit statistical returns.
  • Emergency services (fire, police, ambulance) or a health or social care professional to protect your vital interests or someone else’s e.g., in a medical emergency or safeguarding concern.
  • The Police or other law enforcement agency, where this is necessary for law enforcement. 
  • With Local Authority Social Care teams or other ‘Corporate Parents’ where our Corporate Parenting responsibilities require us to support the wellbeing of children and young people, who enrol at Edinburgh College and who are Looked After, Care Experienced and/or Care Leavers. Please note, local authorities may nominate other organisations and services to fulfil Corporate Parenting duties on their behalf (e.g., Barnardos; Dean & Cauvin; supported accommodation services) and Edinburgh College will share information accordingly.
  • To third parties we have appointed to work for us, e.g., online learning platform (Moodle), and plagiarism detection systems (Turnitin).

Where sharing is not for the above or a legal obligation, we will share your personal information only when we have your consent. If you are under 16, we may share your personal information with a parent or guardian.

How long do we hold the personal data?

Personal data will remain on the college’s Student Record System in line with the college’s retention schedule.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. The rights that apply for this processing are:

  • Right to be informed – this privacy notice addresses this.
  • Right of access – you can request access and copies of your personal data held by the college. To do this, please email the DataProtection@edinburghcollege.ac.uk and your request will be processed accordingly.
  • Right to rectification – you can request that inaccurate or incomplete personal data is rectified.
  • Right to Erasure (this right is not absolute and is subject to specifics of the request).
  • Right to object (including to direct marketing). The right to object to direct marketing is absolute and will be responded to accordingly.
  • Right to data portability (this right is not absolute and is subject to specifics of the request).
Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk . If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

Who are we?

We are Edinburgh College, and we’re respo​nsible for looking after the information you giv​e us when you enrol at Edinburgh College (under data protection law we are the Data Controller). Our address is: Milton Road Campus, 24 Milton Road East, Edinburgh EH15 2PP. Our designated Data Protection Officer (DPO) is Lizi Bird, who can be contacted by email at: DataProtection@edinburghcollege.ac.uk

What is our commitment to you, and your personal data?

Edinburgh College is committed to protecting the privacy and security of your personal information.

This privacy notice explains how we collect, use and share your personal data, and your rights in relation to the personal data we hold. (You can read more about these in “Your Rights” below).

We will comply with the data protection principles of data protection law.

We will:

  • Use your data in a lawful, fair and transparent way (lawfulness, fairness and transparency)
  • Collect it only for valid purposes, that we have clearly explained to you, and not use it for any purpose incompatible with the original purpose (purpose limitation)
  • Ensure it’s adequate and relevant to (and just enough to achieve) these purposes (data minimisation)
  • Ensure your data are accurate and up-to-date (accuracy)
  • Keep your data only as long as necessary for the purposes we collected it for (storage limitation)
  • Keep your personal data secure (security)
What is "personal data"?

Personal data is information which identifies you specifically, and also relates to your life (whether that’s your home life, education, business or job). We tell you about the specific items of personal data we collect from you below. When we completely anonymise your data (so that individuals cannot be identified) it stops being personal data.

What is “special category data”?

Some of your personal data (like your health information, religion, criminal convictions or ethnicity) is more sensitive – this is called “special category data” (we tell you which special category data we collect from you below). In most circumstances you do not have to provide this information (unless you are completing a PVG application, where you must supply this information).

When you apply for certain specific special categories of Additional Support Funding (for example, because you’re eligible for additional help to travel to college due to a pre-existing health condition), the college must ask you to give us certain health details to process your application.

Where you’ve agreed special college attendance arrangements with your Learning Development Tutor (under the college’s Flexible Attendance Policy) you will need to provide certain health information to your Learning Development Tutor (where this is the reason for the putting the special attendance arrangement in place). If you receive discretionary funding your Learning Development Tutor will inform the college’s Student Funding Team that you have agreed flexible attendance, but will not pass on details of your health condition.

What information do we collect about you?

Personal data

  • Name, address, telephone number, email address
  • Date of birth
  • Nationality
  • Next of kin and emergency contact details
  • Employer details
  • National Insurance Number (Modern Apprentices only)
  • Bank account details
  • Previous education, qualifications and employment history
  • Employment status (e.g. jobseeker) and history
  • Course and units of study (including previous courses of study)
  • Assessment information related to your course, including assessment and exam dates and results
  • Disciplinary information
  • Appeals and complaints information
  • Attendance data
  • Financial information
  • Personal financial circumstances (including family)
  • Photographic footage
  • Passport number and country of domicile
  • Your IP Address (your unique online identifier when browsing the internet)
  • Your unique student ID
  • If you are a carer or have caring responsibilities
  • First/preferred language
  • Pregnancy and maternity information

Special category data (only where you provide this; or it is required by law*)

  • Gender (and gender identity)
  • Sexual orientation
  • Religion or religious denomination
  • Ethnicity
  • Disability & health data (including mental health)
  • Marital/civil partnership status
  • Special interest group status (e.g. asylum seeker; refugee; care-experienced; stateless person; veteran; person with profound or complex needs)
  • *Offences and alleged offences (for the purposes of PVG checks)
  • *Criminal proceedings, outcomes and sentences (for the purposes of PVG checks)
How do we collect your personal data?
  • When you first apply for a place on an Edinburgh College course, we will collect data about you on our application form (we explain this in our Application Privacy Notice).
  • When you formally enrol on a course by completing our self-enrolment form, we give you the chance to check some of the personal information you provided at application stage; and we also ask you for new items of personal information.
  • If you’re a private individual (or company) purchasing a course.
  • When you apply for discretionary funding (including bursaries, Educational Maintenance Allowance, childcare or discretionary funding); we will use information you have already provided at application and enrolment stage; together with information we’ll ask you to provide on our discretionary funding application forms.
Why do we need the information we’re asking for?

For academic purposes: to provide you with teaching, learning and support services; to assess your work; record your progress and ensure you receive certificates from awarding bodies like SQA and BTEC.

We collect and use your information to:

  • Enrol you as a student
  • Administer our programmes of study, including funding and fee arrangements
  • Monitor your performance and attendance, supervise, conduct assessments and examinations, confer Edinburgh College awards; and provide awarding bodies with assessment results to enable them to confer awards.
  • To give you access to Student Support, IT, library, careers, and other college services.
  • To give you access to learning and teaching tools (including online tools) used as part of your course (e.g. Moodle, Mahara, Turnitin)
  • Deal with appeals, complaints and disciplinary matters promptly and fairly
  • Provide academic guidance and enable you to communicate with staff, your student representatives and fellow students on your programme of study
  • Invite you to college graduation ceremonies
  • Seek your feedback on our courses
  • Communicate with you about learning, teaching, student support, graduation (and FE awards events)

For administrative and financial management services: to administer fees due and paid for by you and to process payment made for other college related services (for example accommodation); to provide eligible students with childcare and other discretionary funding.

We collect and use your information to:

  • Administer and collect payment of course fees from you, or an employer
  • Process payments for additional college services like accommodation; graphics and printing services; and library fines
  • Assess your entitlement to student support payments (like Education Maintenance Allowances (EMAs), Childcare Fund payments, bursaries and discretionary funds) and make arrangements for the payment of these to you in the event you are successful.
  • Communicate with you in connection with administrative and financial services.

To meet our duty of care to you and other legal obligations: to comply with a legal obligation; protect your vital interests in an emergency; exercise or defend legal claims or comply with court judgements; and protect public health.

We collect and use your information to:

  • Meet our legal duty of care to you under health and safety and safeguarding laws;
  • Protect your vital interests or someone else’s e.g. in a medical emergency;
  • Provide health and counselling services
  • Comply with a statutory obligation (e.g. under tax or immigration law; as part of the Protection of Vulnerable Groups (PVG) Act 2007).
  • Meet our obligations under equality law. Under the UK Equality Act 2010 we need to collect special category personal data about our students to assist with monitoring equality of opportunity and eliminating unlawful discrimination. We hold this information in strictest confidence and disclose it to bodies with a statutory duty to collect it (i.e the Scottish Funding Council). You can choose whether you want to provide information for this purpose.
  • If a student or applicant declares they have a disability, we have a duty to disclose this information on a need-to-know basis to staff to ensure that reasonable adjustments are made, enabling disabled students to meet their full academic potential.

For public safety and the prevention and detection of crime: where this is necessary for the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against and the prevention of threats to public security.

Processing your personal data for these purposes includes:

  • Use of CCTV to monitor and collect visual images
  • Monitor use of IT facilities
  • Apply security and welfare measures for the safety and security of students and the wider College community under health and safety and other relevant laws

To promote the college: we may take photographs, and other images and recordings of students for possible use in our publicity and promotional material in print and online on our websites and social media. We would also like to inform you of other college services (including the gym and college restaurants); and college events; for direct marketing purposes.

Processing your personal data for these purposes includes:

  • We will take photographs of students at events including Graduation, Open Days, and our FE Awards ceremony. Where you are the subject of the photo we will ask for your consent before using your image in our publicity and promotional material (which will include print and online material - both on our website and on social media).
  • Where you are not the subject of a photograph or film, but are included in a group setting (e.g. as part of the crowd at graduation) we will make you aware of the filming and photography and give you the chance to object/not be filmed/photographed.
  • We will keep copies of promotional material in our archives as a record of the College’s activities.
  • We will keep you informed of additional college services (like the gym, and our restaurants) and college events which may be of interest to you (but only where you have given your consent to receive direct marketing).

For research: where this is necessary for statistical purposes and also research in the public interest.

Processing your personal data for these purposes includes:

  • Surveying graduates from our full time programmes of study to find out if they entered work, further study, or are doing something else.
  • Producing management and statistical information to monitor and improve our performance and our services to you and inform strategic planning (e.g. for recruitment).

 

Who your information will be shared with and why:

We will share your personal data only where we must do so to comply with a legal obligation; or where sharing your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Edinburgh College. Where sharing is not on the basis of one of the two reasons above, we will share your personal information only when we have your consent (for example, for direct marketing about college goods and additional services)

Please be aware that we will appoint people and organisations to work for us, and contract them to act as data processors on our behalf. Examples of when we do this include: Moodle, plagiarism detection systems (Turnitin); and BePersonnel (to enable them to provide one to one tailored support where this has been identified as a requirement of your Personal Learning Support Plan).

We will also share limited personal data where this is necessary for the following purpose:

For academic purposes: such as providing the results of assessments to awarding bodies to enable them to confer you with academic awards (e.g. a HNC, SVQ, BTEC qualification); arranging an industry placement for you as part of your studies, to allow you to join the Edinburgh College Students’ Association (ECSA) or verifying your attendance and progress to your sponsor.

Processing your personal data for these purposes includes:

  • Sharing your personal details and assessment results with awarding bodies (e.g. SQA, BTEC, City and Guilds) to enable them to confer awards upon you (e.g. HNC, HND certificate)
  • To deliver a programme collaboratively or jointly between the College and the partner institution, for example, a University.
  • To check that our assessment of your work is fair we will share information with external examiners.
  • To undertake official independent assessment of our programmes e.g. by the SQA, BTEC
  • To confirm your attendance, progress and assessment marks to your sponsor (e.g. your employer) or the institution through which you are studying.
  • To arrange a suitable industry placement if this is part of your course.
  • To publicise your award in our graduation programme and in the list of awards we provide in press releases to news media. (We will ask you for your consent for this).
  • To enable you to participate in the National Student Survey or other official surveys that give us your feedback on our academic quality and your student experience.

Where we have a legal obligation: this will include sharing with emergency services in a medical emergency, or to assist police investigating a crime, or to provide local councils with information on your choice of course, attendance and progress, and whether you are facing any barriers to education (if you are a school leaver, or school-college partnership student).

Processing your personal data for these purposes includes:

  • To help the emergency services (fire, police, ambulance) or a health professional to protect your vital interests or someone else’s e.g. in a medical emergency.
  • To administer your right to be a member of the Edinburgh College Student Association and vote in its elections.
  • Submitting statistical returns to the government or its agencies, including the Scottish Funding Council (SFC), Skills Development Scotland (SDS), and other official bodies. This will include sharing your special category data (where you’ve provided it) with the Scottish Funding Council for equality monitoring purposes; we will also share the destinations of full time graduates with the Scottish Funding Council, where graduates have agreed to take part in our survey.
  • To meet a statutory or regulatory obligation, (e.g. providing details on your course choice, progress, and any barriers to your local authority).
  • Confirming your eligibility for tuition fee funding with agencies including the Student Awards Agency for Scotland (SAAS), the Student Loans Company or your sponsor.
  • To comply with immigration laws. This involves disclosure and data sharing with UK Visas and Immigration authorities about applicants and students who are subject to immigration law.
  • To provide limited information necessary to an organisation with a statutory function, such as the police, where this is necessary for law enforcement.

To enable you to access the services of Edinburgh College Development Trust: including financial hardship and extra-curricular grants.

Processing your personal data for these purposes includes:

  • Where you indicate you wish to receive direct marketing from Edinburgh College Development Trust, about their activities, we will share you contact preferences with them.
  • Where you are applying to the Edinburgh College Development Trust through the Green Project Fund we will share your forename, surname, contact details, and programme of study. Where you are applying to the Edinburgh College Development Trust through the McLeod Memorial Fund, we will also share your health and socio-economic circumstances, as part of the process of evaluating your application.
  • We will share you information with the Edinburgh College Development Trust either where this it required in order for you to enter into a contract with them (to access funding) or where we have your consent (to inform them of your direct marketing preferences).
International Data Transfers

As a global organisation we may process your personal information in a country outside the European Economic Area (EEA), when this is necessary to provide you with academic and support services, or fufil a contract with you.

When doing so we will:

  • Make sure that appropriate safeguards are in place to protect your information and your rights under privacy law;
  • Apply the same high standards of privacy and security wherever we process your data.
Your rights

Because this is your personal information, you have rights under data protection law. You have the right to:

  • Be told what personal information Edinburgh College is keeping about you (this privacy notice)
  • Obtain a copy of the data, free of charge within one month of your request (known as a Subject Access Request)
  • Make Edinburgh College change any personal information that’s wrong, out of date or incomplete.
  • If it’s wrong or out of date, to stop us using your personal information until we’ve put it right.

If you think we are acting unfairly or unlawfully you can:

  • Object to the way we are using your data, by contacting Edinburgh College’s Information Management team by emailing DataProtection@edinburghcollege.ac.uk or you can speak to the team on 0131 297 8663. The team will be happy to help; but we also have an independent Data Protection Officer (Lizi Bird) you can speak to if you’d prefer – we’ve included her details in a separate section below.
  • Complain to the UK Information Commissioner’s Office by calling their helpline on 0303 123 1113. (The Information Commissioner’s Office is the regulator and makes sure organisations across the UK treat your personal information properly).

Under certain conditions you also have the right to ask:

  • To restrict the use of your data (e.g. if you have raised issues about the accuracy or use of your personal data, until we have investigated and responded to your concerns);
  • Erase your information, known as the ‘Right to be Forgotten’
  • Tell us to stop using your personal data to make decisions about you;
  • Tell us to comply with your wishes where you have previously consented to us processing your data for a particular purpose and have withdrawn your consent to further processing;
  • Provide you with a portable electronic copy of the data you’ve given us (data portability).
Data Protection Officer and contact details

Edinburgh College has an independent Data Protection Officer you can speak to – she can be contacted via DataProtection@Edinburghcollege.ac.uk or 0131 297 8663.

How long will we keep your data?

We will keep information about you only for as long as needed to provide you with academic and support services and meet our legal obligations and rights.

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

We collect and process your data for assessing eligibility for funding assistance and for management planning purposes. The following details this further explaining each purpose and how they relate to the different types of courses etc.

To assess and process your application for student funding assistance

Further Education (FE) courses:

When you accept an offer of a place on a Further Education (FE) course at Edinburgh College you will have the opportunity to apply for student funding on the EMA/Bursary and Childcare funding sections of the application website. If you choose to apply for funding you will receive an email asking you for documentary evidence to support your application. This email will give you instructions on how to supply this and about what will happen next. (Please note childcare funding can only be awarded for registered childcare costs whilst you are attending classes).

Higher Education (HE) courses:

If you accept a place on a Higher Education (HE) course you will have the opportunity to apply for childcare funding on the funding application website. If you choose to apply for funding you will receive an email asking you for documentary evidence to support your application. This email will give you instructions on how to supply this and about what will happen next. (Please note childcare funding can only be awarded for registered childcare costs whilst you are attending classes).

The assessment process:

The assessment process will include reviewing your application and supporting documents to verify that you meet the eligibility criteria for funding; assessing your application for the correct level of funding in accordance with Scottish Funding Council policies, and issuing an award decision notice.

In order to assess your eligibility and level of award the Student Funding Team will use the information you have provided about your education, location and personal circumstances to consider whether you are eligible for support. The Student Funding Team will also review the information you have provided on your course application, should it be necessary to do so. 

For Childcare Funding applications the assessment process may also include contacting your childcare provider to confirm or clarify details of the childcare cost information they have provided in the Childcare Costing Document submitted with your application.

To analyse student funding applications for planning purposes

The college analyses student funding applications by award level and type for the purposes of budget planning, and to ensure the college is meeting Scottish Funding Council recommendations regarding priority groups (lone parents, young carers and care experienced students).

What personal data do we collect?

Personal data

  • Name, primary & term address, telephone number, email address
  • Date of birth
  • Course information (course choice, mode and level)
  • Previous education (including Scottish Candidate Number), qualifications and employment history
  • Previous funding history
  • Employment status (e.g. jobseeker) and history
  • UK Visa status; Home Office status; EU residency (as required)
  • Household composition and tax-year annual income of both student and relevant household members as applicable (also includes estrangement)
  • Bank details
  • If you are a carer or have caring responsibilities
  • Care experienced/looked after background status (if applicable)
  • Details of siblings/dependants/adult dependants where applicable and relevant
  • Details of registered childcare provider and childcare provision required
  • Your IP Address (your unique online identifier when browsing the internet)

Special category data

  • Gender (and gender identity)
  • Disability & health data (including mental health) when relevant to award
  • Marital/civil partnership status
  • Special interest group status (e.g. asylum seeker; refugee; stateless person; person with profound or complex needs)
  • Nationality
  • Residency information/date, duration & reason of entry to UK/EU
How are we collecting this information? What is the source?

We collect this information directly from you through the college’s funding application form

(or directly from you, after you have submitted your application, in the circumstances explained below):

Student Funding

If you apply for student funding we will use information from your course application (name; date of birth; gender; address; email address, phone number and course details) and collect additional information from you through the Student Funding application form.  You will be sent an email on submission of your online application form that will tell you about the supporting evidence you will need to provide in order to complete your application.

Childcare Funding

When we need further information about registered childcare costs, or need to verify the details of those costs (costs are verified three times a year in November, January and April), the college will contact your childcare provider directly. The information we will request is limited to: provider address and contact details; Care Commission registration number; start and end dates of provision; days, start and end time and daily cost of provision; details of Local Authority Partnership Funding being claimed by the provider (if any), contractual information (number of weeks of contract, holiday billing); bank details for payment of award.

Change of circumstances

Where you advise us of a change of address or change in circumstances, and we need further information about this to assess any change in eligibility, we will collect this information from you separately.

The lawful basis for the processing

For processing of your personal data in order to process your application, the lawful basis is GDPR Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. The specific law authorising this is the Post-16 Education (Scotland) Act 2013 and underpinning legislation is described in further detail below.

Where your special category personal data are processed, the lawful basis is GDPR Article 9(2)(g) “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.

Student funding legislation

College governing bodies have power under section 12(2)(c) of the Further and Higher Education (Scotland) Act 1992 to provide students of the college such assistance of a financial or other nature as it considers appropriate. 

It is a condition of the Education (Access Funds) (Scotland) Direction 2017, that SFC shall administer student support funds, in conjunction with the Post 16 education bodies, in accordance with the requirements of section 73ZA of the Education (Scotland) Act 1980, the Education (Access Funds) (Scotland) Regulations 1990, the Education (Access Funds) (Scotland) Determination 2013.

Who we share the information with

The college shares your information with the:

Scottish Funding Council (SFC): if you are awarded EMA, bursary or childcare funding the college is required to provide the following information to the Scottish Funding Council via secure data hub: your name, address, date of birth, course identifier, student matriculation number, total household income and details about the amount and type of funding you are in receipt of. This sharing is carried out securely and an appropriate data sharing agreement is in place between SFC and the College.

The college uses the following data processors to process your personal information:

Unit-E, TeQuios and CAMS systems are provided by third party suppliers (e.g. Capita Further and Higher Education), to process student applications and student funding applications. These are hosted by Edinburgh College and sit within the college’s technical controls. The college also has appropriate contracts in place with these third party suppliers. Microsoft (Reporting functions) are used to report on data supplied.

How long do we hold the personal data?

Paper and electronic records are destroyed after seven years; personal and award data will remain on the college’s Student Funding system in line with the college’s retention schedule.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice); right of access; right of rectification; right of erasure (commonly known as the right to be forgotten); right to restrict processing; right to object; right to data portability and the right to know of any automated individual decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing and the College would be required to process your request in one month.

The rights that apply for this particular processing are:

  • Right to be informed – this privacy notice addresses this.
  • Right of access – you can request access and copies of your personal data held by the college. To do this, please email the DataProtection@edinburghcollege.ac.ukand your request will be processed accordingly.
  • Right to rectification – you can request that inaccurate or incomplete personal data is rectified.
  • Right to Erasure (this right is not absolute and is subject to specifics of the request).
  • Right to object (including to direct marketing). The right to object to direct marketing is absolute and will be responded to accordingly.
  • Right to data portability (this right is not absolute and is subject to specifics of the request).
Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk. If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk 

Edinburgh College’s Wellbeing team members will usually be the only people involved in the collection of your data (however, if you are being referred to the Wellbeing Service for the purposes of a counselling referral, your Learning Development Tutor (LDT) or another member of Student Experience staff may collect your data in the first instance).

If you are provided with access to any additional services who maybe working in partnership with Edinburgh College further data may be collected by the external organisation providing the service.

Why are we collecting it and what are we doing with it (Purpose)?

The Wellbeing Service collects different types of information for the purpose of providing wellbeing support to the students of Edinburgh College:

  • We collect basic information that helps us get to know you
  • We collect campus, course, and email address, phone number: this is so we can contact you, and make appropriate arrangements to meet with you. It will also help the college to identify trends in access to the service. 
  • We collect your email address to send you the Wellbeing services fortnightly newsletter where you have signed up to receive this.
  • We keep a record of meetings: this will be a basic record of what has been recommended for your support and to help with reviewing at future meetings.
  • We collect presenting issues related to mental health: this is to help us guide you to the best self-management approaches and resources, and this will be done in consultation with you.
  • Where you participate in a session run by a partner organisation such as Penumbra we will share your personal information such as name and contact details with them to enable them to contact you where appropriate.
What personal data do we collect?

Personal data

  • Forename and surname
  • Date of birth
  • Email address
  • Phone number
  • Course
  • Campus of study

Special Category Personal Data

  • Health (including mental health/anxiety information)
  • Any other sensitive information that you decide you want to share in connection with using our service (we will not ask for this). (For example religion, gender identity, sexual orientation, racial or ethnic origin).
How are we collecting this information? What is the source?

We collect this information directly from you when you use our service (only where you choose to supply it).

The lawful basis for the processing

The College’s lawful basis for processing (and sharing) your personal data is UK GDPR Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” and 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” It is the Post-16 Education (Scotland) Act 2013, the Further and Higher Education (Scotland) Acts 1992 and 2005 and the Equality Act 2010, Part 6, Chapter 2 that provides the legal framework and the duty of care the college has for the provision of wellbeing support to students. 

Where special category personal data is collected, then the lawful basis is UK GDPR Article 9(2)(g) “processing is necessary for reasons of substantial public interest” and Data Protection Act 2018 (DPA) Schedule 1, Part 2 (6) Statutory etc and government purposes.

Who we share the information with

Your data will be shared only as necessary with colleagues in the college such as counsellors, lecturers, LDTs, Curriculum Managers and Learning Support Advisers on a need-to-know basis. In addition to this data may also be shared with partner organisations such as Penumbra, mental health support provider,  if you have asked for specific support. 

We may have to share your personal information if we are legally required to do so or if you, or anyone you tell us about, is at harm or immediate risk of harm - or if we believe there is a risk of terrorism involved.

How long do we hold the personal data?

Your data will be kept for two academic years after you finish your studies at Edinburgh College, it will then be securely disposed of according to College procedures.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. The rights that apply for this particular processing are:

  • Right to be informed – this privacy notice addresses this.
  • Right of access – you can request access and copies of your personal data held by the College. To do this, please email the DataProtection@edinburghcollege.ac.uk and your request will be processed accordingly.
  • Right of rectification – this means you have the right to correct inaccurate or incomplete data the College holds about you
  • Right to restrict processing – this means you can request that the college restrict the processing activity and would normally be used when exercising other rights like the right to rectification
  • Right to object – this means you have the right to object to how the college is processing your data for this purpose.

If you wish to exercise your rights and make a request please contact dataprotection@edinburghcollege.ac.uk 

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk.

If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on the ICO website.

You can email them at casework@ico.org.uk or call them on 0303 123 1113 or you can send a letter to them at the following address:

Customer Contact

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow SK9 5AF

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

We collect this information to enable us to assess your learning support needs. The Learning Support Advisers (LSA) can then make recommendations to teaching staff and LDTs for reasonable adjustments that could be made in the classroom/learning environment and alternative arrangements for assessments. The LSA will also make notes in the PLSP of any future support meetings with you.

What personal data do we collect?

Personal data

  • Name (first name, surname)
  • Date of Birth
  • Student Number
  • Address
  • Telephone number
  • Email address
  • Parent/Key worker (if applicable)
  • Third Party Contact (if applicable)
  • Course title
  • Scottish Candidate Number
  • Campus
  • Carer
  • Care experienced
  • Education and qualifications history

Special Category Personal Data

  • Disabilities/Learning Support needs
  • Evidence of disability
How are we collecting this information? What is the source?

Most of the information is collected directly from the student but we also generate information by screening the student if they discloses dyslexia.

The lawful basis for the processing

Under data protection law, the lawful basis for processing your data is Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject” and Article 6(1)(e) “Processing is necessary for the performance of a task carried ut in the public interest or in the exercise of official authority vested in the controller” The College is required to provide support an make reasonable adjustments under the Equalities Act 2010. The Post 16 Education (Scotland) Act 2013 requires the College to provide quality fundable course and provide the appropriate support for students. For special category personal data, the lawful basis is Article 9(2)(g) “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.” Where you have authorised that your progress at college is communicated to a parent or guardian or another organisation, then the legal basis is consent (Article 6(1)(a)). It’s important to note that consent can be withdrawn at any time. Please communicate to your Learning Support Adviser (LSA) if you wish to withdraw your consent.

Who we share the information with

We use the information on the PLSP to make recommendations to teaching staff and Learning Development Tutors (LDTs) for reasonable adjustments that could be made in the classroom/learning environment and alternative arrangements for assessments.

We may share personal data with dyslexia assessors and support suppliers (third party suppliers). All data is shared in order to support the students disclosed need.

If you are a student within the school-college partnership, we ask your Guidance Teacher for information about and evidence of your learning support needs. We also share information with Local Authorities, e.g. social work.

Where you have requested that an individual or organisation is kept up to date with your progress at college we do this but only with your written permission.

All sharing is carried out securely, and with appropriate documentation in place.

How long do we hold the personal data?

We hold the data in your PLSP for 5 years after which the information will be destroyed securely following college procedures.

Individuals’ rights in relation to this processing

Under data protection law, individuals have a number of rights. These rights are as follows:

  • Right to be informed – this privacy notice
  • Right of access – this means you can request a copy of the personal data an organisation holds on you
  • Right to rectification – this means you can request inaccurate or incomplete information is corrected
  • Right to erasure (commonly known as the Right to be Forgotten) – this means you can request that your personal data is deleted and the organisation no longer processes your personal data
  • Right to restriction – this means you can request an organisation restricts how your data is processed. This right links with some of the other rights, for example when you request data is corrected, until the data is corrected you could request the processing is restricted.
  • Right to data portability – this means you have the right to request your data in a machine readable format (e.g. csv file) and transfer it to you or another organisation
  • Right to object – this means you can object to your personal data being processed. This right is absolute in relation to direct marketing.
  • Rights in relation to automated individual decision-making including profiling – you have the right not to be subject to automated individual-decision making.

Not all of these rights are absolute, some have caveats and depend on the legal basis. If you wish to exercise your rights please contact the Data Protection team who will process your request and respond within one month of receipt of your request.

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk . If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

We collect your personal data for the following purposes:

To process your application to study one of our courses

This will include reviewing your application and personal statement in order to offer you a place on an appropriate Edinburgh College course.

To review any additional support needs you may have

This application form gives you the opportunity to tell the college about any additional support need(s) you may have. This information is not used in any selection or allocation process.

To analyse student applications for business, planning and equal opportunities purposes

The college analyses student applications, including by key protected characteristic groups (including age; disability; gender reassignment; marriage and civil partnership; pregnancy and maternity; race; religion or belief; gender; and sexual orientation) to plan and improve its services and curriculum offering. Analysing applications by key protected characteristic groups forms part of the college’s responsibilities under the Public Sector Equality Duty, part of the Equality Act 2010. This information (where you choose to supply it) will not be used in any selecting or allocating process.

To meet our responsibilities in relation to your school, local authority, and Skills Development Scotland

We will share basic information about the status of your application with your local authority (for example City of Edinburgh Council; Midlothian and East Lothian councils) and your school. This will be limited to the status/progress of your application.

We will share your personal data with other third parties (for example a parent or guardian if you are 16 or over) only where we have your consent.

The college is also required to provide certain information on “young people” (individuals aged 15 to 25) to Skills Development Scotland (SDS), to enable SDS to a). monitor that young person’s involvement in education or training; b) provide advice or support with regard to that young person’s training. This is explained in our information sharing section below.

What personal data do we collect?

Personal data

  • Name, primary & term address, telephone number, email address
  • Date of birth
  • Nationality
  • Next of kin and emergency contact details
  • Previous education (including Scottish Candidate Number), qualifications and employment history
  • School year at start of next academic session (i.e. S4, S5 or S6)
  • Skills & experience (personal statement)
  • If you are a carer or have caring responsibilities
  • Care experienced/looked after background status (if applicable)
  • First/preferred language
  • Additional learning support provided in class (e.g. scribe; 1-2-1; and Alternative Assessment Arrangements information (e.g. read or scribe in examinations)
  • Evidence to support Alternative Assessment Arrangements (including examinations)
  • Travel/transport to and from college arrangements

Special category data (only where you provide this; or it is required by law*)

  • Gender (and gender identity)
  • Sexual orientation
  • Religion or religious denomination
  • Ethnicity
  • Disability & health data (including mental health); additional support need information
  • Medical information and medication administration information
  • Special interest group status (e.g. asylum seeker; refugee; stateless person; person with profound or complex needs)

 

How are we collecting this information? What is the source?

We collect the majority of information directly from you through the college’s application form.

However, information on any learning support provided at school and/or alternative assessment arrangements; and any medication you need to carry with you during your studies at college, will be supplied by your guidance teacher in a separate section of your application form.

The lawful basis for the processing

For processing of your personal data in order to process your application, the lawful basis is GDPR Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. The specific law authorising this is the Post-16 Education (Scotland) Act 2013.

Where your special category personal data are processed, the lawful basis is GDPR Article 9(2)(g) “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.

Where the college processes your special category data specifically to provide learning support, the specific law authorising this is the Post-16 Education (Scotland) Act 2013.

Where applicants’ special category demographic information (gender identity, sexual orientation, race, ethnicity) are processed for the purposes of analysis in order to advance equality of opportunity and treatment for all student groups, the specific law authorising this is the Equalities Act 2010 (but only where you’ve chosen to supply this information).

Where your personal data are shared with your school or local authority for the purposes of updating them on your application status, the specific law authorising this is the Education (Scotland) Act 1980.

Where your personal data are shared with Skills Development Scotland, the specific law authorising this is the Post-16 Education (Scotland) Act 2013 and specifically the Young People's Involvement in Education and Training (Provision of Information) (Scotland) Order 2014.

Who we share the information with

The college shares your information with the following data controllers:

Your local authority and/or school (for example: City of Edinburgh Council; Midlothian Council; East Lothian Council). This is provided through a secure ‘schools tracker’.

Skills Development Scotland: the college is required to provide the following information to Skills Development Scotland via a secure data hub: your name, address, date of birth, Scottish Candidate Number; course information (including start and end date); application/enrolment status; course withdrawal or completion information.

Data processors:  The college uses the following data processer to process your personal information:

Unit-E is provided by a third party supplier, to process student applications. This software is hosted by Edinburgh College and sits within the college’s technical controls. Microsoft (Reporting functions) are used to report on data supplied.

How long do we hold the personal data?

Personal data will remain on the college’s Student Record System in line with the college’s retention schedule.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice); right of access; right of rectification; right of erasure (commonly known as the right to be forgotten); right to restrict processing; right to object; right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing and the College would be required to process your request in one month.

The rights that apply for this particular processing are:

  • Right to be informed – this privacy notice addresses this.
  • Right of access – you can request access and copies of your personal data held by the college. To do this, please email the DataProtection@edinburghcollege.ac.ukand your request will be processed accordingly.
  • Right to rectification – you can request that inaccurate or incomplete personal data is rectified.
  • Right to Erasure (this right is not absolute and is subject to specifics of the request).
  • Right to object (including to direct marketing). The right to object to direct marketing is absolute and will be responded to accordingly.
  • Right to data portability (this right is not absolute and is subject to specifics of the request).
Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk.

If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

When you are withdrawn from College we are required to report your destination to the Scottish Funding Council. By collecting the contributory reasons for a withdrawal, it assists College retention helping the College to identify barriers between a student and education and to support students to overcome these barriers.

What personal data do we collect?

Personal data

  • Name
  • Date of birth
  • Student ID
  • Student destination (e.g. employment)
  • Contributory reasons for leaving (e.g. financial)

Special category data (only where you provide this; or it is required by law*)

  • Health (only if contributory reason for their withdrawal)

 

The lawful basis for the processing

Under GDPR Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” It is the Post-16 Education Scotland Act 2013 which requires reporting student withdrawal reasons to the Scottish Funding Council.

Where special category (sensitive) personal data is processed, the legal basis is Article 9(2)(g) “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.” Under the Data Protection Act 2018, Schedule 1 Part 2(6)(2)(b) Statutory etc. and government purposes, the College is required under the Post 16 Education (Scotland) Act 2013 to report withdrawal reasons to the Scottish Funding Council.

Who we share the information with

The College is required to report on student destinations to the Scottish Funding Council. Reporting of Student destinations is done securely following the data sharing agreement between the College and SFC.

How long do we hold the personal data?

The data will be retained for 6 years after the end of the current academic year in accordance with the data sharing agreement between the College and SFC.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights, some of these rights only apply if certain conditions are met. Your rights are:

  • Right to be informed (e.g. privacy notice),
  • Right of access,
  • Right of rectification,
  • Right of erasure (commonly known as the right to be forgotten),
  • Right to restrict,
  • Right to object,
  • Right to data portability, and
  • The right to know of any automated decision making (including profiling).

It’s worth noting that you can exercise your rights either verbally or in writing and the College will respond no later than one month.

The rights that apply for this particular processing is:

  • Right to be informed – this privacy notice addresses this.
  • Right of access – you can request access and copies of your personal data held by the College. To do this, please email the DataProtection@edinburghcollege.ac.ukand your request will be processed accordingly.
  • Right of rectification – this means that you can request that inaccurate or incomplete personal data is corrected.

You have the right to object to the processing of your personal data for this purpose. Where the processing is for public task, there are certain caveats for organisations to continue to process your personal data where it is justified. However, the right to object to direct marketing is absolute and will be responded to accordingly. As with right of access, if you wish to object please email the data protection mailbox and your request will be processed accordingly.

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk.

If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

We collect your information for the purpose of processing your application and enrolling you on Edinburgh College Summer School; to provide any additional services you have requested; and to facilitate your studies at the college (we explain this in more detail below).

We use your information to provide you with accommodation services, cultural activities (e.g. to arrange visits to local attraction), and transport services (e.g. collecting you from the airport).

We specifically need your information:

To process your application to study at Summer School

This will include evaluating whether the college is able to offer you a place on a course and on what terms; contacting you about any gaps in your application or queries you have; and offering a place on an Edinburgh College Summer School course where appropriate.

To review any additional support needs you may have

The application form gives you the opportunity to tell the college about any additional support need(s) (including health needs) you may have.

For academic purposes (once you enrol)

To provide you with teaching, learning and support services; to place you in a class of the appropriate level; to assess your work, record your progress and provide you with a course completion certificate; to give you access to learning and teaching tools, IT, library, and other college services; to provide you with additional services you have requested such as accommodation, cultural activities or transport services; to seek your feedback on our courses.

For administrative and financial management services

To administer fees due and paid for by you and to process payment made for other college-related services (for example if you are staying in college accommodation or have purchased an additional service such as airport transfers, catering, or social programme). Edinburgh College works with Western Union to facilitate student payments. When you make your payment via Western Union, Western Union will inform the College of your name, your student reference number (from the offer letter sent to you by the college) and the amount you have paid.

For immigration purposes

To support you with your application for a visa to study in the UK, and to comply with our Tier 4 Sponsor obligations to support immigration control.

For communication purposes

To communicate with you about the provision of the course you have applied for or enrolled on, and to inform you of future courses you may be interested in.

To analyse student applications and enrolments for business, planning and equal opportunities purposes

The college analyses student applications and enrolments, including by key protected characteristic groups (including age; disability; marriage and civil partnership; and gender) to plan and improve its services and curriculum offering. Analysing applications and enrolments by key protected characteristic groups forms part of the college’s responsibilities under the Public Sector Equality Duty, part of the Equality Act (2010).

To provide you with further information on courses relevant to your studies

But only where you provide consent to receive direct marketing.

What personal data do we collect?

Personal data

  • Name, address, telephone number, email address
  • Date of birth
  • Nationality
  • Next of kin and emergency contact details
  • Parent/Guardian details (if under 18)
  • Local address and personal details of responsible adult in Edinburgh (if under 18)
  • Bank account details
  • Desired course and level of study at Edinburgh College Summer School
  • Financial information (including family) (only where this information required for visa purposes)
  • Disciplinary information
  • Appeals and complaints information
  • Photographic image and footage (CCTV)
  • Your unique student ID
  • First/preferred language
  • English level
  • Gender
  • Marital/civil partnership status (*if your visa status is dependent on your partner)
  • Passport number and country of domicile
  • Visa information (including details of relevant person if in possession of a dependent visa)

Special Category Personal Data

  • Disability & health data (including mental health)
  • Special interest group status (e.g. asylum seeker; refugee)
  • Attendance data (including sickness absence)
  • Gender identity
How are we collecting this information? What is the source?

When you first apply for a place on an Edinburgh College course, we will collect data about you from your completed application form. We may contact you for further information as detailed on the list above, especially if you require a visa to study in the UK or you are under 18 years old.

When you formally enrol on a course, we will also ask you for new items of personal information as identified on the list above.

If you are referred by an agent representative, or are being sponsored on your course, we will receive some or all of your personal information directly from your agent or sponsor.

Edinburgh College works with Western Union to facilitate student payments. When you make your payment via Western Union, Western Union will inform the College of your name, your student reference number (from the offer letter sent to you by the college) and the amount you have paid.

The lawful basis for the processing

Under GDPR Article 6(1)(b) “Processing is necessary for the performance of a contract to which the data subject is party to in order to take steps at the request of the data subject prior to entering into a contract.” Is legal basis for processing your personal data (to enrol you as a student at Edinburgh College and deliver the educational experience detailed to you).

For special category (sensitive) personal data, the legal basis is Article 9(2)(b) “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.” The specific social protection law which authorises processing of special category personal data is The Equality Act (2010).

Where the college provides you with further information on other courses relevant to your studies (for marketing purposes) the condition for processing your personal data is Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”.

If you wish to withdraw your consent to receive direct marketing from Edinburgh College (at any time) please email: summerschool@edinburghcollege.ac.uk

Who we share the information with

For immigration purposes

As a Tier 4 Sponsor Edinburgh College has a responsibility to comply with all aspects of the Immigration Rules and sponsor guidance, and support immigration control, including taking steps to ensure that every student at our institution has permission to study in the UK throughout the whole period of their study. We must co-operate with the Home Office (UK Visas and Immigration) by complying with requests for information, including in connection with the prevention or detection of crime, the administration of illegal working civil penalties and/or the apprehension or prosecution of immigration offenders.

For sponsored programmes

We may be required to provide reports to your financial sponsors to update them about your attendance, progress and welfare.

For students under 18

We may contact your parents or guardians if we have any concerns about your attendance, progress or welfare.

Where we place you in accommodation (e.g. halls of residence with a homestay host):

(e.g. halls of residence with a homestay host): we will share your personal information (name, age, gender; contact details and special category information; dietary requirements, allergies, medical requirements) to facilitate your stay.

Where we arrange transport

(e.g. taxi transfers) we will share your name and (homestay) address in Edinburgh with the transport provider.

Where we arrange bus passes

We will share your name, date of birth and ID photo with the transport provider.

Where you are due a refund of fees

If you have paid your fees through Western Union and you are due a refund according to our refund policy, we will share your name, reference number, email address and total to be refunded with Western Union.

Where we have a legal obligation to do so

Edinburgh College is obliged to share limited information on international students with the Scottish Funding Council – the regulatory body for Scottish colleges. This information is limited to your: gender; name; date of birth; postcode; how your place on an Edinburgh College course is being funded.

Data Processors

The college uses the following data processer to process your personal information:

Unit-E is provided by a third-party supplier, to process student applications. This software is hosted by Edinburgh College and sits within the college’s technical controls.

Details of data transfers to any third countries or international organisations

For sponsored programmes

We may be required to provide reports to your financial sponsors to update them about your attendance, progress and welfare – subject to where your sponsor is located this may be outside the EU. Where a sponsor is outside the EU the college ensures appropriate organisational and technical security measures are in place to safeguard your data and that a clear agreement is in place around the security of your information.

Where you pay your fee via Western Union

Edinburgh College works with Western Union to facilitate student payments. When you make your payment via Western Union, Western Union will inform the College of your name, your student reference number (from the offer letter sent to you by the college) and the amount you have paid. Western Union processes your data in the United States. Where Edinburgh College shares your data with Western Union (for the purposes of processing a refund) your personal data will be processed in the United States.

How long do we hold the personal data?

We will keep paper records in relation to your studies for three years after the end of the academic year in which you are studying. Digital information will be held on the college’s systems and student records database to satisfy audit requirements: for example SFC require Edinburgh College to retain your data for 6 years for audit purposes.

Individuals’ rights in relation to this processing

Under data protection law you have a number of rights regarding how an organisation processes your personal data. You have various rights including:

  • Right to be informed (provided by this Privacy Notice)
  • Right of access to the personal information Edinburgh College holds about you.
  • Right to rectification - To change any personal information that’s wrong, incomplete or out of date.
  • The right to restrict processing – this links with the other rights and if there is an issue you can request that the processing restricted until the issues are resolved
  • The right to to object (including to direct marketing – which is an absolute right)
  • The right to erasure (commonly known as the ‘right to be forgotten’) – this means you have the right to request all your data is destroyed
  • The right to data portability – this means you have the right to have your personal data in a machine-readable format (e.g. .csv file) provided to you (or if you request transferred to another organisation).

If you want to know more about your rights, or if you want to contact Edinburgh College to make use one or more of your rights, please email DataProtection@edinburghcollege.ac.uk or phone 0131 297 8663. Please note some of these rights are not absolute and require certain conditions to be met.

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk . If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk

Why are we collecting it and what are we doing with it (Purpose)?

We collect the information below to allow us to:

Enquire now Form

  • To contact you on an ongoing basis with pre-application information, including application deadlines, campus open days, and course information, about similar courses by email where you have used our “enquire now” form to apply for a particular course of study in (but where that course of study is closed/no longer taking applications).

International – Register your Interest Form

  • To contact you with information about our English Language Summer School; Group Study Programmes & Bespoke Training; Accommodation & Host Families; or general enquiry as you have requested and our international student course offering and services (on an ongoing basis). This contact will be made by email where you have used our “register interest” form

Customised Training Enquiry Form

  • To contact you with information regarding our training and business services, both in response to the summary of training requirements you have currently asked us about, but also to provide you with information regarding our training and business services on an ongoing basis. This contact will be made by email where you have used our “customised training enquiry” form
What personal data do we collect?

Personal data

Enquire now form

  • Name (first name, surname)
  • Email address

International – Register your Interest Form

  • Name (first name, surname)
  • Area of interest (English Language Summer School; Group Study Programmes & Bespoke Training; Accommodation & Host Families; or general enquiry)
  • Any other personal data you voluntarily provide as part of your query.

Customised Training Enquiry Form

  • Company Name
  • Contact Name
  • Job Title
  • Contact Number
  • Email
  • Summary of training requirements(any other personal data you voluntarily enter as part of your query.

Special Category Personal Data

International – Register your Interest Form

  • Any special category data you voluntarily provide as part of your query (e.g. health, ethnicity, sexual orientation, trade union membership, criminal conviction data).

Customised Training Enquiry Form

  • Any special category data you voluntarily provide as part of your query (e.g. health, ethnicity, sexual orientation, trade union membership, criminal conviction data).

 

How are we collecting this information? What is the source?

We collect your information and your consent to receive emails from the college when you enter this on to a query form on our website and submit this to the college.

OR

We collect your information when you submit your query via email, or via telephone, using the college contact details we provide.

The lawful basis for the processing

Where you use one or more of the four forms above, under data protection law, the lawful basis for processing your data is Article 6(1)(a) Consent:“the data subject has given consent to the processing of his or her personal data for one or more specific purposes;”

For any special category personal data you choose to submit, the lawful basis is Article 9(2)(g) Explicit Consent:“the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;)).

It’s important to note that consent can be withdrawn at any time. Please email DataProtection@Edinburghcollege.ac.uk if you wish to withdraw your consent.

Who we share the information with

Your information is shared with the appropriate Edinburgh College team, in order to respond to your query.

Where you use the “Ask A Question Form”; “International – Register your Interest Form” or “Customised Training Enquiry Form” your query will be directed to the appropriate Edinburgh College email address.

Data Processors:

Where you use our “Register Interest Form” or “Apply Now – Register your Interest Form” your information will be stored on Edinburgh College’s CRM (database). Edinburgh College’s CRM is hosted in the Microsoft Cloud, using data centres based the United Kingdom.

How long do we hold the personal data?
  • Enquire now form

Edinburgh College will hold your data (including the type of course you are interested in) on its CRM for five years.

  • International – Register your Interest Form;
  • Customised Training Enquiry Form

Edinburgh College will hold your data, for the purposes of contacting you in connection with the international course area; or customised training you are interested in; until such time as you withdraw your consent to be contacted by Edinburgh College.

Individuals’ rights in relation to this processing
  • Right to be informed – this privacy notice
  • Right of access – this means you can request a copy of the personal data an organisation holds on you
  • Right to rectification – this means you can request inaccurate or incomplete information is corrected
  • Right to erasure (commonly known as the Right to be Forgotten) – this means you can request that your personal data is deleted and the organisation no longer processes your personal data
  • Right to restriction – this means you can request an organisation restricts how your data is processed. This right links with some of the other rights, for example when you request data is corrected, until the data is corrected you could request the processing is restricted.
  • Right to data portability – this means you have the right to request your data in a machine readable format (e.g. csv file) and transfer it to you or another organisation
  • Right to object – this means you can object to your personal data being processed. This right is absolute in relation to direct marketing.
  • Rights in relation to automated individual decision-making including profiling – you have the right not to be subject to automated individual-decision making.

Not all of these rights are absolute, some have caveats and depend on the legal basis. If you wish to exercise your rights please contact the Data Protection team who will process your request and respond within one month of receipt of your request.

Complaints to UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance please can you contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk . If you are not satisfied with the outcome then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO has guidance on their website here: https://ico.org.uk/your-data-matters/raising-concerns/

You can email them at casework@ico.org.uk or call them on 0303-123-113 or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF