East Kent Colleges Group is committed to ensuring the privacy of any personal data that it processes.
East Kent Colleges Group processes a substantial amount of personal data in relation to students, staff and other individuals that we work with. In all cases, we commit to ensuring that personal data is handled, stored and disposed of confidentially and securely. We will always undertake to tell individuals how we use their data and why we collect it through our privacy notices, (for further details please see the right to be informed). This page tells you about how we protect personal data, what your rights are and where you can get help.
Our status:
East Kent Colleges Group is the Data Controller.
Our registered address is:
Ramsgate Road
Broadstairs
Kent
CT10 1PN
Our Data Protection Policy outlines the technical and organisational measure that we take to protect personal data.
We will only process your data if it meets one or more of the following lawful bases:
- Consent – where an individual has given their consent via clear, affirmative action e.g. providing a signature or ticking a box;
- Performance of a contract e.g. an employment contract, learning agreement etc;
- Legal obligation – because the law requires the data to be processed e.g. for the purposes of HMRC payments;
- Vital interest – to protect the individual in the case of an emergency;
- Public interest or exercise of official authority e.g. provision of statistical returns, to comply with government funding requirements etc;
We have a records retention schedule in place and will not keep personal data for any longer than we need to. When we dispose of personal data, we use a secure, confidential waste service.
The Data Protection Officer is Jack Collison, Group Director of Corporate Services. He can be contacted at DPO@eastkent.ac.uk or on 01843 605024.
If you’re a data subject and you want to request your personal data, please go to the ‘your rights‘ tab above.
Please note that East Kent Colleges Group does not need to gain consent from a data subject in order in these circumstances.
If you are a parent, carer or guardian wherever possible, we encourage you to use ProPortal to make any enquiries about your child or young person’s course and progress. If you request further information staff will always check whether they are permitted to share this information and must not share data in circumstances where the safety and welfare of a student may be compromised. Staff will always verify the identity of the requestor before releasing any data. This will be done by ensuring the contact number or email address of the requestor matches that on the system before responding. If the caller’s telephone number does not match that on the system, staff will verify identity by asking the caller to verify 3 personal identifiers from the list below:
- Student’s Date of Birth
- Student’s phone number
- Student’s email address
- The course the student is enrolled on
- Student’s first line of address
- Student’s postcode
Callers must answer 3 of the above personal identifier questions correctly for staff to release data to them.
If you have a complaint about how we’ve handled your personal data, you should firstly contact DPO@eastkent.ac.uk. If you’re still not satisfied, you may complain to the Information Commissioner’s Office.
The right to be informed.
We have Privacy Notices for each stage of data processing so that you’re clear about how your data is used. Our Privacy Notices tell you:
- What personal data we collect
- How we use it
- The legal basis for collecting and using your data
- Who may have access to your data
- How long we keep your data for
- What your rights are
- Who to contact
If we need to process your data for any purpose not detailed in our Privacy Notice, we will give you further information and obtain your consent where appropriate.
Our main Privacy Notices are as follows:
- Student enrolment
- Staff application
- Student Bursary
- Eshop goods purchase
- Student Images
- Marketing Privacy Notice
- Student Application Privacy Notice
- DBS confirmation privacy notice
- Data Protection & Complaints Privacy Policy
East Kent Colleges Group’s Colleges and business units have Privacy Notices in place for specific services such as the Canterbury Sports Centre, counselling etc.
We also publish a Register of Processing Activities which gives details about the personal data we collect and use in respect of our students and staff.
The right to access (Subject Access Request)
If you wish to request personal data that we hold about you, you can make your request verbally or in writing. To enable us to provide you with the information in a timely manner, we would prefer you to complete this form and submit it to the department that you’re requesting the information from.
If you are not known to us, we will have to validate your identity which can be done by showing us one or more of the following original documents:
- Passport
- Driving licence
- Bank statement
- Utilities bill
We won’t normally charge to provide information but there may be certain circumstances when a charge can be made: for example, where the request is manifestly unfounded or excessive, we may charge a ‘reasonable fee’ for the administrative costs of complying with the request.
We can also charge a reasonable fee if you request further copies of your data when we’ve already responded to your request. In all cases, we will follow guidance from the Information Commissioner’s Officer and will tell you if any charges apply.
The right to rectification
When you ask for your personal data to be amended we will do this within 20 working days of you telling us. You may advise us verbally of any changes to your personal data (address, telephone number, emergency contact details etc) but we would prefer it if you put it in writing to the relevant department. Please ensure that you tell us when your personal data needs to be amended so that we can maintain accurate records for you.
The right to erasure/deletion
You have the right to ask for your personal data to be deleted if there is no lawful basis for its continued processing. All requests should be made, preferably in writing, to the relevant department. Please note that we do have the right to refuse a request for erasure/deletion if we are obliged to continuing processing your data to meet a lawful basis. Requests for erasure/deletion will be actioned within 20 working days. We will not process data deletion requests from third party websites due to the security implications involved. Please contact us directly if you would like your data erased so we can verify your identity before we action the request for you.
Right to restriction
Requests to restrict us from processing your personal data can be made, however there may be reasons why we may not be able to comply, for example if we need to continue processing the data to meet a lawful basis.
Right to objection
You may object to processing under certain circumstances and requests should be made to the relevant department, preferably in writing
East Kent Colleges Group (EKC Group, “the Group”) is a data controller as defined by the UK General Data Protection Regulation and the Data Protection Act 2018. Our ROPA describes how and why we use personal information. As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data via a subject access request
- require the Group to change incorrect or incomplete data
- require the Group to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
- to restrict the processing of your personal data in certain ways
- to withdraw consent where we have requested and obtained your consent
- to object to certain processing of your personal data by us
- where our lawful basis is consent or performance of a contract we will allow portability of your data.
If you would like to exercise any of these rights, please contact your College or training provider.
The Group needs to collect and process personal data in order to provide services to students, manage its operations effectively, and meet legal requirements. The Record of Processing Activity (ROPA) details the categories of data subjects and personal data that we process, as well as the purpose of the processing along with any recipients the personal data may be shared with.
Personal data is information that relates to an identifiable individual. It can also include ‘special category data’, which is sensitive information for example data related to your racial or ethnic origin, religious or other beliefs, physical or mental health, the processing of which is subject to strict requirements. Similarly, information about criminal convictions and offences is also subject to strict requirements.
Purposes for processing information
The Group processes large volumes of personal data for several purposes, for example:
- Providing education and support services to our students and apprentices.
- Delivering the services agreed in our contracts.
- Safeguarding the health and safety of our staff, students, apprentices and third parties.
- Management and administration of research.
- Financial purposes.
- Data security and integrity management.
- Statutory returns and other legal obligations.
- The prevention and detection of crime.
- Marketing and event promotion.
- Recruitment (students and staff).
Through all stages of our data processing, we remain compliant with the Data Protection Act 2018 (‘DPA’).
Categories of data subjects
- Students and apprentices (current, prospective, withdrawn)
- Parents, guardians, and carers of students and apprentices (current, prospective, withdrawn)
- Staff (current, prospective, and unsuccessful applicants)
- Former staff
- Volunteers, students on work placements
- Employers and business contacts
- Professional, statutory and regulatory bodies
- Contractors
- Visitors
- Guests (of The Yarrow Hotel)
- Third parties participating in research, teaching or placements
- Complainants, enquirers and persons who may be the subject of an enquiry
- Individuals captured by CCTV or photography
- Suppliers, professional advisers and consultants
- Landlords and tenants
Categories of personal data
- Biographical information and contact details
- Education details and pupil records
- Employment records and data
- Financial details
- Health and disability data
- Lifestyle and social circumstances data
- Misconduct, disciplinary and grievances investigations and outcomes
- Next of kin and emergency contact information
- Qualifications and professional memberships information
- Students and apprentices record, attendance, and academic data
- Survey/feedback information
- Vetting and barring checks
- Visual images (for identification, publicity, security, and promotions)
We may also process the following special categories of personal data (for example, in the case that you choose to provide these to us or for us to meet our statutory obligations):
- Racial or ethnic origin
- Political opinion
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (where used for the purpose of identifying a person)
- Health data
- Sex life or sexual orientation
- Criminal conviction information (where required)
Recipients of personal data
In certain circumstances we must share personal data with a third party if this is required by law or because it otherwise deems it to be necessary to achieve a specified purpose. The Group complies with the UK General Data Protection Regulation and the Data Protection Act 2018 when disclosing personal data.
The types of people and organisations that we may be required to share personal data with is as follows:
- Auditors (internal and external)
- Employers (previous and current)
- Financial organisations, debt collection and tracing agencies
- Governmental bodies including UKVI, ESFA, and DSA
- Healthcare, social and welfare organisations
- Local Authorities
- Third party statistical agencies
- Official bodies requiring information for legal purposes (e.g. police, solicitors etc.)
- Professional and regulatory bodies, including examining and accreditation bodies
- Suppliers and service providers, including consultants and professional advisers
- Parents, guardians, carers
- Work experience or other placement providers
Transfers of data to a third country
It may be necessary for us to transfer personal data outside the UK where our data processors hold servers outside the UK or where suppliers, service providers and research partners are based outside the UK.
Where we transfer personal data outside of the UK as part of these relationships, we ensure appropriate contracts or other safeguards are in place.
Retention of data
The Group only holds personal data for as long as is necessary for the purpose(s) for which it is collected. The Group have a detailed Record Retention Policy in place.
Technological and organisational security measures
The Group takes the security of your data seriously. We have a framework of policies, procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the data we hold secure.
We will only share personal data with others when we are legally permitted to do so. When we share data with others, we put contractual arrangements and security mechanisms in place as appropriate to protect the data and to comply with our data protection, confidentiality and security standards.
Privacy notices
Privacy notices exist within the Group in respect of data held, you will be presented with these as and when you access services or use facilities. You will also find them here.
Complaints
The Data Protection Officer is responsible for advising the Group on compliance with data protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the Group is processing your personal data, please contact the DPO named below.
| ROPA for | EKC Group (“The Group”) |
| ICO Registration Number | Z7597166 |
| Date Registered | 2018 |
| Data Controller | EKC Group |
| Data Protection Officer (DPO) | Jack Collison
01843 605034 |
If you are unsatisfied with the way we have processed your personal data, or have any questions or concerns about your data please contact the DPO (details above). If we are not able to resolve the issue to your satisfaction, you have the right to apply to the Information Commissioner’s Office (ICO).
Last review: 04/12/2024
We are a group of six community-based colleges
