DATA PROTECTION POLICY

1. Policy Statement

1.1 Everyone has rights regarding the way in which their personal data is handled. During the course of our activities we will collect, store and process personal data about our customers, suppliers and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations.
1.2 Data Users are obliged to comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary action.

2. About this Policy

2.1 The types of personal data that Stay Campus London (We) may be required to handle include information about current, past and prospective clients and others which we communicate with. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Data Protection Act 2018 (the Act) and other regulations.
2.2 This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.
2.3 This policy does not form part of any employee's contract of employment and may be amended at any time.
2.4 This policy sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data.

3. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the School Director.

4. Definition of Data Protection Terms

4.1 Data is information which is stored electronically, on a computer, or in certain paper-based filing systems.
4.2 Data subjects for the purpose of this policy include all living individuals about whom we hold personal data save for our employees. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information.
4.3 Personal data means data relating to a living individual who can be identified from that data. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.
4.4 Data controllers are the people who or organisations which determine the purposes for which, and the way in which, any personal data is processed. They are responsible for establishing practices and policies in line with the Act. We are the data controller of all personal data used in our business for our own commercial purposes.
4.5 Data users are those of our employees whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
4.6 Data processors include any person or organisation that is not a data user that processes personal data on our behalf and on our instructions. Employees of data controllers are excluded from this definition, but it could include suppliers which handle personal data on the school’s behalf.
4.7 Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
4.8 Sensitive personal data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.

5. Data Protection Principles

Anyone processing personal data must comply with the eight enforceable principles of good practice. These provide that personal data must be:
(a) Processed fairly and lawfully.
(b) Processed for limited purposes and in an appropriate way.
(c) Adequate, relevant and not excessive for the purpose.
(d) Accurate.
(e) Not kept longer than necessary for the purpose.
(f) Processed in line with data subjects' rights.
(g) Secure.
(h) Not transferred to people or organisations situated in countries without adequate protection.

6. Fair and Lawful Processing

6.1 The Act is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
6.2 For personal data to be processed lawfully, they must be processed based on one of the legal grounds set out in the Act. These include, among other things, the data subject's consent to the processing, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal obligation to which the data controller is subject, or for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, additional conditions must be met. When processing personal data as data controllers in the course of our business, we will ensure that those requirements are met.

7. Processing for Limited Purposes

7.1 In the course of our business, we may collect and process the personal data set out in the Schedule. This may include data we receive directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and data we receive from other sources (including, for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).
7.2 We will only process personal data for the specific purposes set out in the Schedule or for any other purposes specifically permitted by the Act. We will notify those purposes to the data subject when we first collect the data or as soon as possible thereafter.

8. Notifying Data Subjects

8.1 If we collect personal data directly from data subjects, we will inform them about:
(a) The purpose or purposes for which we intend to process that personal data.
(b) The types of third parties, if any, with which we will share or to which we will disclose that personal data.
(c) The means, if any, with which data subjects can limit our use and disclosure of their personal data.
8.2 If we receive personal data about a data subject from other sources, we will provide the data subject with this information as soon as possible thereafter.
8.3 We will also inform data subjects whose personal data we process that we are the data controller with regard to that data.

9. Adequate, Relevant and Non-Excessive Processing

We will only collect personal data to the extent that it is required for the specific purpose notified to the data subject.

10. Accurate Data

We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.

11. Timely Processing

We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.

12. Processing in Line with Data Subject’s Rights

We will process all personal data in line with data subjects' rights, in particular their right to:
(a) Request access to any data held about them by a data controller.
(b) Prevent the processing of their data for direct-marketing purposes.
(c) Ask to have inaccurate data amended.
(d) Prevent processing that is likely to cause damage or distress to themselves or anyone else.

13. Data Security

13.1 We will process all personal data we hold in accordance with our Data Security Policy. We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
13.2 We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
13.3 We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
(a) Confidentiality means that only people who are authorised to use the data can access it.
(b) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
(c) Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on the central computer system instead of individual PCs.
13.4 Security procedures include:
(a) Entry controls. Any stranger seen in entry-controlled areas should be reported.
(b) Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
(c) Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.
(d) Equipment. Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.

14. Transferring Personal Data to a Country Outside The EEA

14.1 We may transfer any personal data we hold to a country outside the European Economic Area ("EEA"), provided that one of the following conditions applies:
(a) The country to which the personal data are transferred ensures an adequate level of protection for the data subjects' rights and freedoms.
(b) The data subject has given his consent.
(c) The transfer is necessary for one of the reasons set out in the Act, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject.
(d) The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
(e) The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the data subjects' privacy, their fundamental rights and freedoms, and the exercise of their rights.
14.2 Subject to the requirements in clause 12.1 above, personal data we hold may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. That staff maybe engaged in, among other things, the fulfilment of contracts with the data subject, the processing of payment details and the provision of support services.

15. Disclosure and Sharing of Personal Information

15.1 We may share personal data we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
15.2 We may also disclose personal data we hold to third parties:
(a) In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets.
(b) If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets.
15.3 If we are under a duty to disclose or share a data subject's personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
15.4 We may also share personal data we hold with selected third parties for the purposes set out in the Schedule.

16. Dealing with Subject Access Requests

16.1 Data subjects must make a formal request for information we hold about them. This must be made in writing. Employees who receive a written request should forward it to their line manager OR the School Director immediately.
16.2 When receiving telephone enquiries, we will only disclose personal data we hold on our systems if the following conditions are met:
(a) We will check the caller's identity to make sure that information is only given to a person who is entitled to it.
(b) We will suggest that the caller put their request in writing if we are not sure about the caller’s identity and where their identity cannot be checked.
16.3 Our employees will refer a request to their line manager or the Director for assistance in difficult situations. Employees should not be bullied into disclosing personal information.

17. Changes to this Policy

We reserve the right to change this policy at any time. Where appropriate, we will notify data subjects of those changes by mail or e-mail.

Stay Campus London Privacy Policy

Our Privacy Policy governs any kind of processing where we are acting as a data controller or co-controller (including collection, use, transfer, storage and deletion) of personally identifiable information. This policy applies to our processing of data collected through any means, actively as well as passively, from persons located anywhere in the world. Any questions regarding our processing of personal data may be directed to info@staycampuslondon.com.

Please read the following policy carefully to understand what information we may collect from you, how we may use it, and your rights in respect of our use.

We will be guided by the following principles when processing data:

  • We will only collect data for specific and specified purposes; we will make it clear at the point when we request your information, what we are collecting it for and how we are going to use it.
  • We will not collect data beyond what is necessary to accomplish those purposes; we will minimise the amount of information we collect from you to what we need to deliver the services required.
  • We will collect and use your personal information only if we have sensible business reasons for doing so, such as managing a booking or gathering necessary information about a new member of staff, ETO.
  • We will not use data for purposes other than that for which the data was collected, except as stated, or with prior consent.
  • We will seek to verify and/or update data periodically, and we will accept requests for amendments of personal data.
  • We will apply high technical standards to make our processing of data secure.
  • Except when stated, we will not store data in identifiable form longer than is necessary to accomplish its purpose, or as is required by law.

Information collected

We collect information on you:

  • When you apply to join a course or programme at the school.
  • When you contact us for information, via our website, by email, by phone, in person or via social media channels.
  • When you work with us in a commercial capacity (for example as an ETO or partner).
  • When you apply to work at Stay Campus London, and when you are subsequently employed by Stay Campus London.
  • If you post on our social media channels or on our website or blog.

Our students

What personal data do we need from you?

Before you start and during your relationship with us, we will collect, store and process the following personal data:

  • Full Name
  • Address
  • Contact telephone numbers
  • Contact email address
  • Date of birth
  • Passport number
  • Photo or Video
  • Next of kin contact details
  • Course and language capability details
  • Medical details

Permission to collect and store data of students under the age of 18 is obtained directly from the child’s parents or legal guardian through our parental consent form.

Who has access to your personal data?

We are committed to restricting access to personal data to just those individuals who may need it to meet their or the school’s obligation. The specific data each individual has access to is limited to only that which is necessary for them to be able to carry out their function. For us this means the following may have access to some or all of your data:

  • The Directors
  • Members of the Accommodation department
  • Members of the Operations department
  • Members of the Reception team
  • Members of the Welfare team
  • Members of the Finance department
  • Members of the Marketing team
  • Academic staff

Who do we share your personal data with outside of the school?

In order to fulfil our regulatory and contractual obligations we will need to share your personal data with third parties outside of the school. We have also chosen to outsource some of our operational requirements and our outsourced suppliers also need access to your personal data. In all cases we have committed to limiting the personal data that we share to only that which is necessary for them to be able to carry out the function we have contracted with them to perform. However, we take your privacy seriously and will therefore, never sell your personal data to anyone and will take precautions to keep it secure. Your data may be shared with:

  • Education Travel Organisations (Agents); Quality Standard Inspectorates (e.g. British Council); ISI.
  • Government Enforcement Agencies such as the Home Office; Immigration; the Health & Safety Executive, the Police.
  • Taxi and airport transfer providers.

How long do we retain your personal data?

We will retain all your personal data for the duration of your contract and then for a further 5 years to enable us to meet our regulatory and legal obligations; to ease administration should you wish to return to undertake further studies; and to keep you up to date with news from Stay Campus London which may be of interest to you. After 5 years all records will be deleted.

Our Educational Travel Operators

What personal data do we need from you?

Before you start and during your relationship with us, we will collect, store and process the following personal data:

  • Full Name
  • Company Address
  • Contact telephone numbers
  • Contact email address
  • Bank details

Who has access to your personal data?

We are committed to restricting access to personal data to just those individuals who may need it to meet their or the school’s obligation. The specific data each individual has access to is limited to only that which is necessary for them to be able to carry out their function. For us this means the following may have access to some or all of your data:

  • The Directors
  • Members of the Marketing department
  • Members of the Accommodation department
  • Members of the Reception team
  • Members of the Finance department
  • Members of the Welfare team
  • Members of the Registration department

Who do we share your personal data with outside of the school?

In order to fulfil our regulatory and contractual obligations we will need to share your personal data with third parties outside of the school. We have also chosen to outsource some of our operational requirements and our outsourced suppliers also need access to your personal data. In all cases we have committed to limiting the personal data that we share to only that which is necessary for them to be able to carry out the function we have contracted with them to perform. However, we take your privacy seriously and will therefore, never sell your personal data to anyone and will take precautions to keep it secure. Your data may be shared with:

  • Quality Standard Inspectorates e.g. British Council; Quality English.
  • Government Enforcement Agencies e.g. the Home Office; Immigration; the Health & Safety Executive, the Police.

How long do we retain your personal data?

We will retain all your personal data for the duration of your contract and then for a further 5 years to enable us to meet our regulatory and legal obligations. After 5 years all records will be deleted.

Legal bases for processing your data

The General Data Protection Regulation (GDPR) establishes 6 legal bases on which we can process your data: these are Consent, Contract, Legal Obligation, Vital Interests, Public Task and Legitimate Interests. For further information about these legal bases and fuller definitions, please refer to the ICO website.

We use different legal bases for processing your data depending on the purpose for collecting your data in the first instance:

  • For all data collected as part of the process of enquiring about, applying for and booking a course or for any other related service (e.g. airport transfer, social programme, insurance to cover you during your stay), or where you give us feedback about aspects of this provision, we process using Contract or Legitimate Interests, namely the fulfilment of the booking. This may include sending of your data to our partners such as Educational Tour Operators (ETOs), Government Agencies or Schools. Where required by law to do so, we may also process your data under Legal Obligation.
  • Any processing of customer data not directly related to the fulfilment of a booking or related services, such as signing up for newsletters or free lessons on our website or sending messages to you on behalf of third parties, is managed under Consent. From time to time, we may use elements of the data you supply to target the messages we send to you. For example, we may use your location to send you information about an event or opportunity happening in your area. During your stay at Stay Campus London, we may take photographs or videos of you, and the use and processing of these is also managed through Consent.
  • For all data collected as part of managing our relationship with commercial partners, such as ETOs, Government Agencies and Schools, we process using Contract, Legitimate Interest and Legal Obligation, namely the maintenance of the commercial relationship. As newsletters to commercial partners are an important part of how we communicate with them, these are managed under Legitimate Interest.
  • For all data collected as part of the process of employing and managing staff, we process using Contract, Legal Obligation and Legitimate Interests, namely the employment of the employee. This will include data required for HMRC, pensions and insurance.  In the event of our sending newsletters to our staff, these will be managed under Legitimate Interest.
  • We may process any of your personal data identified in this policy where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is Legitimate Interest, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.
  • We may process any of your personal data identified in this policy where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice. The legal basis for this processing is Legitimate Interest, namely the proper protection of our business against risks.

We will make it as easy as we can for you to opt out of unwanted processing under Consent, providing it does not restrict our ability to provide you with the primary service you have requested.

We collect data for a wide range of purposes. Data is managed to ensure that it is either erased from our system when it is no longer required for the purpose for which it was collected, retained for legal reasons, or minimised and retained.

We are co-processors of information relating to marketing and booking clients with partners overseas (for example ETOs, schools, government and national sponsors). As such, we may transfer some data outside of the EU, but this will be limited to data necessary for the performance of a contract made in the interests of the individual (which is an exemption to the 8th principle of the GDPR legislation). We remain responsible for the data held, processed or sent via our systems. We are not responsible for the security and processing of data which is held, processed or sent via our partners’ systems. However, we require all of our partners overseas to confirm that they will process data securely in line with the requirements of GDPR or the equivalent in their country. We do not sell your data at any time.

Special Category Data/Criminal Record Data

We may request health data from potential students and employees. This data has special protection under the GDPR under the specific conditions listed in Article 9 (2) of the GDPR that processing is necessary either to protect the vital interests of the data subject, (or of another natural person where the data subject is physically or legally incapable of giving consent), or where processing is necessary for the purposes of preventive or occupational medicine or the assessment of the working capacity of an employee.

The school has safeguarding responsibilities and carries out DBS checks on all staff and other people who are likely to have direct supervisory responsibility for or unsupervised contact with young people under the age of 18. We may process and record securely risk assessments of these DBS checks where the disclosure is not clear. These risk assessments will be disposed of securely when that person no longer has supervisory responsibility or unsupervised contact with young people under the age of 18 on behalf of the school.

Children under 18

We collect or store personal information about children under the age of 18 in the context of managing bookings and directly related products, and for safeguarding purposes. Permission is obtained directly from a legal adult guardian to collect this information through our Parental Consent Form. As part of this process, we request special category data relating to the health of the child, which we manage through Vital Interest.

We also gain consent from parents for the use of photos or video taken during their child’s stay at Stay Campus London through the Parental Consent Form.

Information collected via our website

How we will use information collected by our website

We may use information held about you in the following ways:

  • To process a booking for one of our courses or products.
  • To manage an application to work for the school.
  • To create a profile for you to help us provide a more personalised service which is suited to meet your preferences.
  • To ensure that content from our site is presented in the most effective manner for you and your computer.
  • To send you our newsletters or provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes.
  • To allow you to participate in interactive features of our service, when you choose to do so.
  • To notify you about changes to our service.

Links from our website

Our website contains links to and from websites operated by individuals and companies over which we have no direct control. If you follow a link to any of these websites, please note that these websites have their own privacy and terms of use policies and that we do not accept any responsibility or liability for these policies. We advise you to check these policies before you submit any personal data to these websites.

Cookies

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

We use a single cookie, “session ID”, to identify you when you visit our website, keep you logged in as you navigate our website, and store temporary information during the course application process. This functional cookie does not identify any individual and is required for the correct operation of our website.

Our service providers use cookies and those cookies may be stored on your computer when you visit our website. These cookies do not contain any information that is personally identifiable to you.

  • Google Analytics - used to analyse the usage of our website.
  • Google Translate - provides a translation service to our website visitors.
  • Facebook - used to offer "like" and "share" buttons to like/share pages from our website on Facebook.
  • Twitter - used to offer "follow" buttons to follow Stay Campus London on Twitter.
  • LinkedIn - used to offer "follow" buttons to follow Stay Campus London on LinkedIn.
  • YouTube - used to embed videos on our website.
  • LiveChat - provides a chat service to our website visitors.

Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

Blocking all cookies will have a negative impact upon the usability of many websites. If you block cookies, you will not be able to use all the features on our website.

What to do if you believe that the information we have collected and are using is incorrect?

It is important for both you and us that we hold up to date and accurate information and that the accuracy is maintained during your relationship with us. For this reason, we shall be conducting annual internal audits of the data we hold.

If you become aware of any inaccuracies or you change address, telephone number, email, etc., it is your responsibility to bring this to our attention as quickly as possible. Please inform us as soon of any changes by emailing info@staycampuslondon.com.

You also have the right to withdraw consent to the processing of information for which you have previously given consent.

You may also request access to the data we hold on you. Provision of such information will be subject to:

a)  The payment of a fee (currently fixed at £10).
b)  The supply of appropriate evidence of your identity.

We may withhold personal information that you request to the extent permitted by the law.

To make any of these requests relating to your personal data, please contact us at: info@staycampuslondon.com or contact the Operations Manager (tel: +44 20 3141 7539).

What to do if you have a concern or complaint about how we store, use or share your personal data?

Initially, we would encourage you to raise this with the appropriate department depending on the nature of the concern or complaint who should be able to resolve the matter informally. If following this you do not believe that your concern has been adequately addressed, then you should raise your complaint in writing to our Operations Manager at:

Stay Campus London, 18 Charcot Road, London, NW9 5WU.

In the unlikely event that we have been unable to address your concern internally, you may call the Information Commissioner’s Office helpline on +44 303 123 1113.

Changes to our Privacy Policy

Any changes we may make to our Privacy Policy in the future will be posted on our website in this document. Please check from time to time in order to ensure that you are aware of any changes to our Privacy Policy.