0 Shortlist Search
Enter your keyword, course, subject or interest
EC Default Banner

Student Direct Enrolment for Schools

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk.

Why are we collecting it, and what are we doing with it (Purpose)?

  • To enrol you on your course and add you to our college system, although you are still enrolled at your school, we need to know who will be on the course and collect specific details from you.
  • To support teaching and learning – this may involve monitoring how well you are doing on your course through assessments and examinations; providing you with access to learning and teaching tools (including online tools); enabling you to communicate with staff and fellow pupils; seeking your feedback; dealing with any issues or complaints; and telling you about events related to your learning.
  • To meet our duty of care to you and other legal obligations – including health and safety and safeguarding laws; to ensure reasonable adjustments are in place where you have declared you have a disability; to protect your vital interests or someone else’s, e.g. in a medical emergency; to monitor equality of opportunity and eliminate unlawful discrimination under the UK Equality Act 2010.
  • For public safety and the prevention and detection of crime, we use CCTV on our campuses; we monitor the use of IT facilities; and we apply security and welfare measures to ensure the safety and security of students and the wider College community, in accordance with health and safety and other relevant laws.
  • To analyse student applications for business, planning, and equal opportunities purposes, the college analyses applications by key protected characteristic groups (including age, disability, gender reassignment, race, religion or belief, gender, and sexual orientation) to plan and improve its services and curriculum offering. Analysing applications by key protected characteristic groups is part of the college’s responsibilities under the Public Sector Equality Duty, as set out in the Equality Act 2010. This information (where you choose to supply it) will not be used in any selection or allocation process.
  • To meet our responsibilities in relation to your school and local authority, and Skills Development Scotland, we will share basic information with your School and local authority (for example, City of Edinburgh Council, Midlothian and East Lothian councils).
  • To promote the college, we may take photographs, other images and recordings of students for possible use in our publicity and promotional material in print and online on our websites and social media. We may also inform you about college services, college events, or other direct marketing purposes.

What personal data do we collect?

Personal data is information that identifies you and relates to your life (whether that’s your home life, education, business, or job). Some of your personal data (like your health information, religion, or ethnicity) is more sensitive – this is called “special category data”. 

Personal data

  • Name, address, telephone number, email address
  • Date of birth
  • Nationality
  • Next of kin and emergency contact details
  • School year at start of next academic session (i.e. S4, S5 or S6)
  • Course and units of study (including previous courses of study)
  • Assessment information related to your course, including assessment and exam dates and results
  • Appeals and complaints information
  • Attendance data
  • Your unique student ID
  • If you are a carer or have caring responsibilities
  • Care experienced/looked after background status (if applicable)
  • First/preferred language
  • Evidence to support Alternative Assessment Arrangements (including examinations).
  • Your IP Address (your unique online identifier when browsing the internet).

Special category data (only where you provide this, or it is required by law)

  • Gender (and gender identity)
  • Sexual orientation
  • Religion or religious denomination
  • Ethnicity
  • Disability and health data (including mental health); additional support needs information
  • Medical information and medication administration information
  • Special interest group status (e.g. asylum seeker; refugee; stateless person; person with profound or complex needs).

How are we collecting this information? What is the source?

We collect the majority of information directly from you through the college’s Direct Enrolment application form. We may also receive relevant information about you from your School/Local Authority.

The lawful basis for the processing

For processing of your personal data to process your application, the lawful basis is GDPR Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. The specific law authorising this is the Post-16 Education (Scotland) Act 2013.

Where your special category personal data are processed, the lawful basis is GDPR Article 9(2)(g) “processing is necessary for reasons of substantial public interest, based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.

Where the college processes your special category data specifically to provide learning support, the relevant law is the Post-16 Education (Scotland) Act 2013.

Where applicants’ special category demographic information (gender identity, sexual orientation, race, ethnicity) is processed for analysis to advance equality of opportunity and treatment for all student groups, the specific law authorising this is the Equality Act 2010 (but only where you’ve chosen to supply this information).

Where your personal data is shared with your school or local authority for the purposes of updating them on your application status, the specific law authorising this is the Education (Scotland) Act 1980.

Where your personal data is shared with Skills Development Scotland, the specific law authorising this is the Post-16 Education (Scotland) Act 2013 and specifically the Young People's Involvement in Education and Training (Provision of Information) (Scotland) Order 2014.

Who we share the information with

  • Your local authority and/or school (for example: City of Edinburgh Council, Midlothian Council, East Lothian Council). This is provided through a secure ‘schools tracker’.
  • The government or its agencies, including the Scottish Funding Council (SFC), and other official bodies, are required to submit statistical returns.
  • Emergency services (fire, police, ambulance) or a health or social care professional to protect your vital interests or someone else’s, e.g., in a medical emergency or safeguarding concern.
  • The Police or other law enforcement agency, where this is necessary for law enforcement. 
  • With Local Authority Social Care teams or other ‘Corporate Parents’ where our Corporate Parenting responsibilities require us to support the well-being of children and young people, who enrol at Edinburgh College and who are Looked After, Care Experienced and/or Care Leavers. Please note, local authorities may nominate other organisations and services to fulfil Corporate Parenting duties on their behalf (e.g., Barnardos, Dean & Cauvin, supported accommodation services), and Edinburgh College will share information accordingly.
  • To third parties we have appointed to work for us, e.g., online learning platform (Moodle), and plagiarism detection systems (Turnitin).

Where sharing is not for the above or a legal obligation, we will share your personal information only when we have your consent. If you are under 16, we may share your personal information with a parent or guardian.

How long do we hold the personal data? 

Personal data will remain on the college’s Student Record System in line with the college’s retention schedule.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights; some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice), right of access, right of rectification, right of erasure (commonly known as the right to be forgotten), right to restrict processing, right to object, right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing, and the College would be required to process your request within one month.

The rights that apply to this particular processing are:

  • Right to be Informed – i.e. a privacy notice.
  • Right of Access – this means you have the right to access your personal information.
  • Right to Rectification – this means you have the right to correct inaccurate or incomplete personal information.
  • Right to Erasure – commonly known as the Right to be Forgotten (RTBF) – this means you can request that your personal data be deleted.
  • Right to Data Portability – this means you have the right to request your information in a machine-readable format (e.g. a .csv file) to be provided to you or transferred in that format to another organisation.
  • Right to Restriction – this means you can restrict the processing of your information and links with some of the other rights.
  • Right to Object – this means you can object to how your data is used.
  • Right to be informed of automated individual decision-making (including profiling) – we do not use this for OH purposes, and therefore this does not apply.

Some of the rights above have caveats and only apply in certain circumstances. You can exercise your rights at any time, and the College would be required to answer within a month upon receipt of your request. If you wish to exercise your rights or have any queries in relation to this, please contact the Data Protection Team at DataProtection@edinburghcollege.ac.uk.

Complaints to the UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance, please contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk. If you are not satisfied with the outcome, then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO guides on the ICO website.

You can email them at casework@ico.org.uk, call them on 0303-123-113, or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF