9 November 2023
For the purposes of this Privacy Notice, “UK Data Protection Legislation” is defined as, for the periods in which they are in force, the UK GDPR / Data Protection Act 2018, all laws giving effect or purporting to give effect to or otherwise relating to data protection (to the extent the same apply).
In this notice (the “Privacy Notice”), “CST”, “NTA”, “the Group”, “we”, means Confederation of School Trusts.
The Group includes:
The Group are committed to respecting your privacy.
For the purposes of data protection law the Group is a data controller in respect of your personal data. The Group are responsible for ensuring that the Group use your personal data in compliance with data protection law. The below clauses in this Privacy Notice set out the basis on which any personal data about you, that you provide to us, that the Group create or that the Group collect or generate about you, will be processed by us. This Notice explains how the Group will collect, store and use any personal data you provide via our website(s), email or networking with our people and when you otherwise communicate with the Group (including in the course of the services the Group provide or the running of our business).
This Privacy Notice also applies to any person whose personal data has been provided to the Group by an agent or direct or indirect owner of a member’s and non-member’s personal data or by an employer or where the Group otherwise use a person’s personal data.
This Privacy Notice may change from time to time and if it does, the up-to-date version will always be available on our website(s) and becomes effective immediately.
Reference to “members and non-members” includes, schools, trusts, individuals and all other potential customers or clients for the Group.
Who the Group are
The Group are registered in the UK, with our registered office address at Suite 1, Whiteley Mill, 39 Nottingham Road, Stapleford, Nottingham NG9 8AD.
For the purposes of Data Protection legislation, CST is the Data Controller for all CST and CSTPD data and information. This means it is responsible for the protection of personal information about you.
CST Professional Development is part of the Group, of which this entity is a joint controller in respect of all personal data where Confederation of School Trusts is a controller.
NTA is the Data Controller for all NTA related data and information and have a Data Sharing Agreement between NTA and CST as required.
As data controllers the Group is responsible for all personal information that they collect, and they are liable if that information is breached.
Types of personal data the Group collect
The type and amount of information we collect depends on why you are providing it.
The information we collect when you make an enquiry to the Group includes your name, role, trust name/school, telephone number and email address.
If you are applying to be a member of the Group, we will ask for details of your Trust/School which will include the name of your Trust/School and the name of your Accounting Officer. We will also ask for details about your Trust/School and which type of membership you wish to apply for. We then ask for details of the executive and governance leaders and member of the central services team in your Trust who would like to be directly included in membership and receive full benefits by email – this includes job title, title, name and email address and whether they are National Leaders of Education. You will also be asked for your email preferences.
If you sign up for an event, or to be part of a network or one of our programmes, in addition to asking for the name, telephone number, email address and role/position of the person making the booking, we also ask for the Trust/school name. We then ask for the title, name, position and email address of each of the attendees being booked onto the event or network. You will also be asked for your email preferences. For our programmes, our Governance Advisory Service or any bespoke training, we may ask for further information in order to ensure that you receive the best outcomes from these services.
For any payment, we will keep copies of your bank details if we need to make regular payments to you – for example refunding travel expenses, doing consultancy work.
If you are a job applicant, the information you are asked to provide is as set out in the application and necessary for the purposes of our considering the application.
NTA specific requirements
If you are registering your school with NTA to receive Early Careers Teacher (ECT) induction support services, we will ask for the name of the school/trust, address, telephone number and type of school. We will also ask for the name, email address and mobile number of the Headteacher, Induction Lead and any other tutors or mentors who will be supporting Early Careers Teachers (ECTs) during their induction. In order to register ECTs to receive induction support services, we will ask for their name, address, email address, date of birth and Teacher Reference Number (TRN). We will also hold details of previous schools in which they worked (if any) and information about their Initial Teacher Training (ITT). We will also hold the name and email address of your finance department contact for invoicing purposes.
The Group may collect and process the following data about you:
Information provided to the Group by you or representative in connection might include:
How the Group collect information
The group may collect information from you whenever you contact us or have any involvement with us for example when you:
Where the Group collect information from
The Group collect information:
How the Group use your information
The Group will use your personal information in a number of ways which reflect the legal basis applying to processing of your data. These may include:
to market certain services, events and content that may be of interest to you but only if you have given the Group your consent to do so or the Group are otherwise able to do so in accordance with applicable UK Data Protection Legislation.
Legal basis for processing your information
The group are entitled to process your personal data in the ways described above in this privacy Notice for the following reasons:
If you want to contact us about your marketing preferences, please contact email@example.com, or call on 0115 917 0142.
For NTA related marketing preferences, please contact firstname.lastname@example.org or call on 07720 593542.
How we keep your information safe
We understand the importance of security of your personal information and take appropriate steps to safeguard it.
All electronic data is password protected, documented in the Password Policy distributed to all staff, consultants and contractors.
We always ensure only authorised persons have access to your information, which means only our staff, trustees and contractors, and we ensure that everyone who has access is appropriately trained to manage your information.
Disclosure of your data to third parties
The Group may from time to time, in accordance with the purposes described in this Privacy Notice above, disclose your personal data to other parties, including, but not limited to:
Some of these persons will process your personal data in accordance with our instructions, where they act as our data processor, and others will themselves be responsible for their use of your personal data where they act as a data controller. This will depend on the purposes of our sharing your personal data. These persons may be permitted to further disclose the data to other parties.
We provide these third parties with the information that is necessary to provide the service and we will have an agreement in place that requires them to operate with the same care over data protection as we do.
We may also disclose your personal information if we are required to do so under any legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction, or where doing so would not infringe your rights, but is necessary and in the public interest.
Transfers of your personal data outside of the UK and European Economic Area
Information held by the Group is stored within our Cloud environment. Your personal data may be transferred to and stored inside of the UK and European Economic Area (the EEA).
Where personal data is transferred outside the UK/EEA, the group will ensure that the transfer is subject to appropriate safeguards by our affiliates or service providers.
You can obtain more details on the protection given to your personal data when it’s transferred outside the UK/EEA, including a copy of any International Data Transfer Agreements entered into with processors of your personal data, by contacting us using the details set out under Contacting the Group or Making a Complaint in this Privacy Notice.
The provision of certain personal data is necessary for the Group to provide the Service and for our compliance (and that of our service providers) with certain legal and regulatory obligations.
Safeguarding your information
The Group have extensive controls in place to maintain the security of our information and information systems. Appropriate controls (such as restricted access) are placed on our computer systems.
As a condition of employment, all employees are required to follow all applicable laws and regulations, including in relation to Data Protection Law. Unauthorised use or disclosure of confidential client information by an employee is prohibited and may result in disciplinary measures.
Keeping your information up to date
We really appreciate it if you let us know if your contact details change. You can do so by contacting any employee of the Group.
Our use of “cookies”
How long we keep your information for
We will hold your personal information for as long as it is necessary for the relevant activity. Please see our Records Retention Policy.
Where we rely on your consent to contact you for direct marketing purposes, we will treat your consent as lasting only for as long as it is reasonable to do so. This will usually be for three years. We may periodically ask you to renew your consent.
If you ask us to stop contacting you with marketing or fundraising materials, we will keep a record of your contact details and limited information needed to ensure we comply with your request.
You have the right to request details of the processing activities that we carry out with your personal information through making a Subject Access Request. To make a request please contact us at email@example.com (for CST or CSTPD) or firstname.lastname@example.org.
You also have the following rights:
All of these rights are subject to certain safeguards and limits or exemptions, further details of which can be found in our Data Protection Policy.
If you are not happy with the way in which we have processed or dealt with your information, you can complain to the Information Commissioner’s Office. Further details about how to complain refer to Contacting the Group or Making a Complaint section below.
The Group don’t and won’t knowingly collect information from any unsupervised child under the age of 13.
The Group may collect and use your personal information for undertaking marketing by email, telephone and post.
The Group may send you certain direct marketing communications (including electronic marketing communications to existing members and non-members) if it’s in our legitimate interests to do so for marketing and business development purposes.
However, we’ll always obtain your consent to direct marketing communications where we’re required to do so by law.
You have the right to ask the Group not to process your personal information for marketing purposes. You can do this by contacting the Group by post or email using the details in the Contacting the Group or Making a Complaint section below.
Contacting the Group or Making a Complaint
If you would like further information on the collection, use, disclosure, transfer or processing of your personal data or the exercise of any of the rights listed above, please address questions, comments and requests to the Data Protection Representative at the Group, using the contact details below.
If you are not satisfied with the response you receive from us, then you can complain to the ICO:
Information Commissioner’s Office
Helpline number: 0303 123 1113 or 01625 545 745 if you prefer to use a national rate number.
You can find out more information about your rights by contacting the UK’s Information Commissioner’s Office, or by searching the ICO website: https://www.ico.org.uk
We’ll update or amend this Policy from time to time, to comply with law or to meet our changing business requirements. You should bookmark and periodically review this page to make sure that you’re familiar with the most current version and so you’re aware of the information the Group collect, how the Group use it and under what circumstances the Group disclose it.
You can see when our most recent update to this Privacy Notice was by checking the “Last updated” note at the top of this page. Do please check this Policy each time you consider giving your personal information to us.
Exceptions to this policy must be approved by the Chief Operating Officer in writing.
All breaches of this policy, actual or suspected must be reported to your line manager initially. In certain cases, the incident may be raised with the Information Security/ Data Protection Team who will ensure it is investigated. Breaches of this policy may be considered as gross misconduct, and in certain cases lead to termination of employment and/or legal action/prosecution.