Menu
Contact Us

Privacy Policy

Data Protection Policy

1. General Statement of BBIS’ Duties

As part of its day-to-day operations, BBIS processes relevant personal data (which may be held on paper, electronically or otherwise) regarding Students (including past, current and prospective Students) and their parents and others who have parental responsibility in relation to the Students. BBIS recognises the need to treat such data in an appropriate and lawful manner in accordance with the GDPR. Data will be destroyed in accordance with the GDPR. Paper data will be destroyed by a cross-cut shredder.

2. Data Protection Officer

The Data Protection Officer (DPO) is Tamas Fuzesy, Finance Director, who is responsible for ensuring that all personal data is processed in compliance with this policy and the Principles of the GDPR

3. The Principles

BBIS shall comply with the GDPR Principles (the Principles) contained in the GDPR, which say that personal data must be:

  • Fairly and lawfully processed;
  • Processed for limited purposes and in an appropriate way;
  • Adequate, relevant and not excessive for the purpose;
  • Accurate and up-to-date;
  • Not kept for longer than necessary for the purpose;
  • Processed in accordance with the data subject’s rights;
  • Secure;
  • Not transferred to people and organisations situated in countries without adequate protection.

4. Personal Data

Personal data is defined as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”

BBIS may process a wide range of personal data of Students, their parents or persons with parental responsibility for them as part of its operations. This personal data may include (but is not limited to); names and addresses, dates of birth, family details, health information, financial means, contact telephone numbers, and email addresses, bank details, academic, disciplinary, admissions and attendance records, and references.

5. Processing of Personal Data

Processing means doing anything with the data, such as accessing, disclosing, destroying or otherwise using data.

BBIS will usually only process personal data where, in relation to personal data regarding Students, the pupil or the parent(s) or other person(s) having parental responsibility have given consent on the pupil’s behalf or where the personal data relates to parents or other person(s) having parental responsibility such persons have given consent.

BBIS will also process personal data where the processing is necessary for BBIS to comply with its legal obligations to Students, their parents or persons with parental responsibility.
In other cases, processing may be necessary for the protection of the students’ vital interests, BBIS’s legitimate interests, or the legitimate interests of third parties. The Data Protection Act sets out the full list of conditions for the lawful processing of data.

6. Sensitive Personal Data

Sensitive personal data about ethnic origin, political opinions, religious or similar beliefs, health, sex life, criminal proceedings or convictions will usually only be processed when the parent(s) or other person(s) having parental responsibility for the pupil have given explicit consent on behalf of the pupil or on their own behalf in relation to sensitive personal data about themselves, usually in writing. Consent will not be required to comply with a legal obligation of BBISs or to protect the Students’ vital interests. The full list of conditions is set out in the Data Protection Act 1998.

BBIS may process sensitive personal data relating to Students, including as appropriate:

  • Information about a pupil’s physical or mental health or condition in order to monitor attendance and academic progress and make decisions with regard to the Student’s educational needs;
  •  In order to comply with legal requirements and obligations to third parties.

7. Processing for Limited Purposes

BBIS will only process personal data for the specific purpose or purposes notified to Students and their parents or other persons having parental responsibility for them or for any other purposes specifically permitted by the Data Protection Act.

8. Adequate, Relevant and Non-Excessive Processing

Personal data will only be processed to the extent that it is necessary for the specific purposes notified to Students and their parents or other persons having parental responsibility for them.

9. Data Retention

BBIS will not keep personal data relating to Students or their parents or other persons having parental responsibility for them for longer than is necessary for the purpose. This means that data will be destroyed or erased from BBIS’ systems when it is no longer required. For guidance on how long certain data is likely to be kept before being destroyed, contact the DPO.

10. Processing in line with Student/ Parental Rights

Students and their parents and other persons having parental responsibility for them have the right to:

  • Request access to any personal data BBIS holds about them.
  • Prevent the processing of their data for direct marketing purposes.
  •  Ask to have inaccurate data held about them amended.
  • Prevent processing that is likely to cause unwarranted substantial damage or distress to them or anyone else.
  • Object to any decision that significantly affects them being taken solely by a computer or other automated process.

11. Data Security

BBIS will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data and against accidental loss of, or damage to, personal data.
BBIS has procedures and technologies in place to maintain the security of all personal data from the point of collection to the point of destruction. BBIS will only transfer personal data to a third party if it agrees to comply with those procedures and policies, or if it puts in place adequate measures itself.

Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.

12. Providing Information to Third Parties

Personal data will not be disclosed to a third party without the consent of the pupil’s parents or other person having parental responsibility for them unless BBIS is satisfied that they are legally entitled to the data. Where BBIS discloses personal data to a third party, it will have regard to the Principles.

13. Rights of Access

Subject to the exceptions referred to below, students and their parents and other persons having parental responsibility for them have a right to access information held by BBIS. Any individual wishing to access their personal data should put their request in writing to the DPO.

Certain data is exempt from the right of access under the Data Protection Act. This includes information that identifies other individuals, information that BBIS reasonably believes is likely to cause damage or distress, and information that is subject to legal professional privilege.

BBIS will also treat as confidential and will not disclose any reference given by BBIS for the purpose of the education of any pupil. BBIS acknowledges that an individual may have the right to access a reference received by BBIS relating to them. However, such a reference will only be disclosed if it is possible to disclose the reference without identifying who has given it, where the individual will not identify the source of the reference, or where the referee has given their consent or if the disclosure is otherwise reasonable in all the circumstances.

14. Whose Rights

The rights under the Data Protection Act are the individual to whom the data relates. BBIS will, however, in most cases, rely on parental consent to process data relating to Students.

BBIS will grant the pupil direct access to their personal data if, in BBIS’s reasonable belief, the pupil understands the nature of the request, and it is felt to be in the best interests of the student to do so. As a general guide, a child aged 12 or older is expected to be mature enough to understand the request they are making. A child may, however, be mature enough at an earlier age or may lack sufficient maturity until a later age. All requests will be considered on a case-by-case basis. Students are deemed to have given their consent to BBIS disclosing their personal data to their parents or persons having parental responsibility for them, but that implied consent can be withdrawn by the pupil giving notice in writing to BBIS.

Where a pupil raises a concern confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents or persons having parental responsibility for them, BBIS will maintain confidentiality unless it has reasonable grounds to believe that the pupil does not fully understand the consequences of withholding their consent, or where BBIS believes disclosure will be in the best interests of the pupil or other Students.

15. Exemptions

There are situations where access to information may be withheld by BBIS:

a) The Data Protection Act contains a number of exemptions when information may be withheld; these include:

  • information which might cause serious harm to the physical or mental health of the pupil or another individual;
  • cases where the disclosure would reveal a child is at risk of abuse;
  • information contained in adoption and parental order records.

b) Unstructured personal information.
BBIS will generally not be required to provide access to information held mutually and in an unstructured way.

16. Disclosure of Information

BBIS may receive requests from third parties to disclose personal data it holds about Students, their parents or persons having parental responsibility for them. BBIS confirms that, subject to what is set out below, it will not generally disclose information unless the individual has given their consent in writing or one of the specific exemptions under the Data Protection Act applies. However, BBIS does intend to disclose such data as is necessary to third parties for the following purposes:

  • To give a confidential reference relating to a pupil to any educational institution which it is proposed that the pupil may attend.
  • To give information relating to outstanding fees or payment history to any educational institution which it is proposed that the pupil may attend.
  • To publish the results of achievements of Students of BBIS.
  • To disclose details of a pupil’s medical condition where it is in the pupil’s interests to do so, for example, for medical advice, insurance purposes or to organisers of school trips.

Where BBIS receives a disclosure request from a third party in relation to the matters referred to above it will take reasonable steps to verify the identity of that third party before making any disclosure.

17. Use of Personal Information by BBIS

BBIS will, from time to time, make use of personal data relating to Students, their parents or guardians in the following ways. Should a Parent wish to limit or object to any such use, this should be notified the DPO in writing.

  • To make use of photographic images of Students in school publications and on BBIS’ website. However, BBIS will not publish photographs of individual Students with their full names without the express agreement of the appropriate individual, parents are able to opt out of this by a declaration on the parental agreement.
  • For fundraising, marketing or promotional purposes and to maintain relationships with Students of BBIS, including transferring information to any association, society or club set up for the purpose of establishing or maintaining contact with Students, or for development, fundraising, marketing or promotional purposes.

18. Accuracy

BBIS will ensure that all personal data held in relation to an individual is accurate and up to date. Data which is inaccurate or out of date will be erased or destroyed. Individuals must notify the DPO of any changes to information held about them or if they become aware that there are inaccuracies in the personal data held about them.

19. Security

BBIS will take reasonable steps to ensure that members of staff and owners will only have access to personal data relating to Students and their parents where it is necessary for them to do so. All owners and staff will be made aware of this policy and their duties under the Data Protection Act. BBIS will ensure that all personal information is held securely and is not accessible to unauthorised persons. When disposing of records and equipment, BBIS will make sure that personal information cannot be retrieved from them.

20. Disposal

Personal data will not be held for longer than is necessary.

21. Enforcement

If an individual believes that BBIS has not complied with this policy or acted otherwise than in accordance with the Data Protection Act, they should notify the DPO in the first instance. BBIS’s Complaints Procedure may also be used. A copy of the procedure is available on BBIS’ website and from the DPO.

Author Dr David Porritt
Position of Author  Principal
Date February 2022
Reviewed by David Porritt,  Tamas Fuzesy, Gabor Kocsor, Jon Spinks
Review Frequency 2 years
Next Review Date February 2025