Cargilfield School (“the School”, “we”, “our”, “us”) is a company limited by guarantee (registration number SC025080) and a registered charity (registration number SC005757) located at 45 Gamekeeper’s Road, Edinburgh EH4 6HU. The objects of the School are to provide, in Scotland, the United Kingdom or elsewhere, education for boys and girls of all age groups, whether on a boarding or day school basis, to provide all appropriate educational, sporting and residential facilities for this purpose; and to promote education generally. The Board of Governors of the School takes collective responsibility for the decisions made in name of the School. However, the Headmaster of the School has day-to-day responsibility for the management and operation of the School and the care of the pupils at the School.
The School is a data controller in terms of Data Protection Law (this means, from 25 May 2018, the EU General Data Protection Regulation 2016/679, the Data Protection Act 2018 and any other legislation enacted that relates to data protection) (“Data Protection Law”). This means that the School determines the purposes for which, and the means by which, the personal data of living individuals is processed. The Friends of Cargilfield Association, as a body associated with the School, is also covered by this Privacy Notice. References in this Privacy Notice to the School include the Friends of Cargilfield Association.
Personal data means any data that relates to a living individual who can be identified directly from that data, or indirectly from that data combined with other information available to the School as a data controller. It does not include data where the identity has been removed completely (such as anonymous data). There are some ‘special categories’ of more sensitive personal data which require a higher level of protection under Data Protection Law.
Purpose of this Privacy Notice
The purpose of this Privacy Notice is to provide information about how the School will collect and thereafter process (or use) personal data about individuals including:
• current, prospective and past pupils (“pupils”);
• their parents, carers or guardians ( “parents”);
• current, prospective or past employees (“employees” – including permanent and temporary staff,
governors, agency workers, contractors, consultants, volunteers and secondees); and
• members of the School’s alumni society (“alumni”).
Employees, parents, pupils and alumni are all encouraged to read this Privacy Notice and understand the School’s obligations. The School is required under Data Protection Law to notify you of the information contained in this Privacy Notice. However, this Notice does not form part of any contract for services or contract of employment.
This Privacy Notice applies alongside any other information the School may provide about a particular use of personal data, for example when collecting data via an online or paper form. This Privacy Notice also applies in addition to the School's other relevant terms and conditions and policies, including:
• any contract between the School and its staff, or the School and parents/pupils;
• the School’s Data Protection Policy;
• the School's policy on taking, storing and using images of children;
• the School’s CCTV policy;
• the School’s Records Retention policy;
• the School's safeguarding, pastoral, or health and safety policies, including as to how concerns or incidents are recorded; and
• the School's IT policy (incorporating its Acceptable Use policy, eSafety policy, WiFi policy, Remote Working policy, Bring Your Own Device policy).
Changes to this Privacy Notice
The School reserves the right to update this Privacy Notice at any time.
Data Protection Officer
We have appointed a Data Protection Officer (“DPO”) to oversee our compliance with Data Protection Law. If you have any questions about this Privacy Notice or how we handle personal data, please contact the DPO in writing using the details below.
Data Protection Officer
Address: Cargilfield School, 45 Gamekeeper’s Road, Edinbugh, EH4 6HU
Anyone who works for, or acts on behalf of, the School should be aware of this Privacy Notice and comply with the School's policies. It is important for us to ensure that the personal data we hold about you is accurate. Please help us to update our records by notifying us of any changes to your personal data by contacting our DPO.
Commitment to privacy and security of personal data
The School is committed to protecting the privacy and security of personal data and to complying with Data Protection Law. The law says that the personal data that we hold must be used in a way that complies with the following data protection principles:
• Used in a lawful, fair and transparent way.
• Collected only for valid purposes that we have clearly explained and not used in any way that is
incompatible with those purposes.
• Relevant to the purposes for which it was collected and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes for which it was collected.
• Kept securely.
Whose personal data do we collect?
The School collects personal data relating to individuals who fall into one or more of the categories listed below. This list represents the current, former and prospective stages of each category in the list in relation to the School:
• Suppliers and contractors
• Visitors to the School, to School events and to the School’s website
Purposes and legal basis for processing personal data
Processing for the performance of a contract:
The School processes a wide range of personal data as part of its daily operations and activities. Some of the operations and activities have to be undertaken by the School in order to fulfil its legal rights, duties or obligations, including those under a contract with its staff or parents /pupils.
Processing in the legitimate interest of the School or a third party:
Other uses of personal data will be made in accordance with the School’s legitimate interests, or the legitimate interests of another person, provided that these are not outweighed by the impact on individuals and provided it does not involve special category or sensitive types of data. Examples of such interests are included below under “Examples of how we might use your information”.
Processing based on consent:
Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending direct fundraising communications to you via email, or in relation to the use of images of individuals on our website/social media or in promotional materials.
Withdrawal of consent
Where you have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our DPO at the address listed on the previous page. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to.
Change in purposes of processing
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain what we consider to be the lawful basis which we are relying on to do so.
What categories of personal data do we process?
• Identity and contact data: e.g. names; addresses; contact phone numbers; email addresses; personal correspondence.
• Financial/contractual data: e.g. bank account details and other financial information, e.g. in respect of parents seeking Bursary assistance, or to process salaries, admissions and/or bursary applications; credit check information; tax details; salary details; expenses details; employment details, directorships, shareholding details
• Education/Professional data: e.g. educational records; references for pupils; exam results; disciplinary records; tutor and teacher notes; references given or received by the School about pupils or employees.
• HR data: e.g. relating to employees of the School and prospective employees; job titles; CVs; application forms; agency referrals; references given or received by the School about employees.
• Images and monitoring: e.g. of pupils, employees, parents and occasionally other individuals engaging in School activities for promotional purposes and educational purposes; images captured by the School's CCTV system (in accordance with the School's policies on CCTV and Taking, Storing and Using Images of pupils); swipe/fob records; PC login details; car details (about those who use our car parking facilities); use of email and internet.
• Relationship data: e.g. contact details for their next of kin; information about family relationships; marriage details.
Special category data
We may also collect, store and use the following ‘special categories’ of more sensitive personal information about you, either: with explicit consent; to perform our duties under a contract with you; to meet some other legal obligation; or to protect the vital interests of an individual in certain circumstances. Examples of the types of special category or sensitive personal data we might process are:
• special access requirements;
• safeguarding concerns;
• health and medical data, e.g. allergies, prescriptions, surgeries, therapies and treatment;
• criminal convictions and offences, e.g. for PVG checks.
How else might we use your personal data?
The School may also use your personal data for the following activities:
To manage parent/pupil relationships with the School:
• For the purposes of assessment for admission (and to confirm the identity of prospective pupils and their parents)
• To provide education services, including musical education and physical training, career services, extra-curricular activities and monitoring pupils' progress and educational needs
• To enable relevant authorities to monitor the School's performance and to intervene or assist with incidents as appropriate
• To give and receive information and references about past, current and prospective pupils, including relating to outstanding fees or payment history, to/from any educational institution that the pupil attended or where it is proposed they attend; and to provide references to potential employers of past pupils
• To enable pupils to take part in national or other assessments, and to publish the results of public examinations or other achievements of pupils of the School
• To safeguard pupils’ welfare and provide appropriate pastoral care
• For security purposes, including CCTV in accordance with the School’s CCTV policy
• Where otherwise reasonably necessary for the School's purposes, including to obtain appropriate
professional advice and insurance for the School
• Sending updates from the school
• Invitations to events
• Offering in-house medical services
• promote academic and extra-curricular achievements
To raise the School profile or to raise donations:
• Send relevant updates on the fundraising activities of the School
• Send segmented appeals requesting donations
• Process single and regular donations
• Manage your previous donations to the School
• Submit Gift Aid claims to HMRC
For prospective, existing, or former employees:
• To manage the recruitment process
• Processing PVG application forms
• Paying salaries, pension contributions and tax
• For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as diversity or gender pay gap analysis and taxation records);
• Managing leave, disciplinary actions, grievance procedures
To provide benefits of being a member of the Friends of Cargilfield Association:
• Sending information about events
• Sending the Newsletter
• Provide access to an online alumni portal
• To keep a register of pupils who have attended the School
How do we collect your personal data?
Personal data is generally collected directly from individuals, when they enter into a contract with the School or interact with the School in some way. Additional data is collated during an individual’s relationship with the school and may be sourced from third parties for certain purposes (depending on the individual’s relationship with the School).
Where is your information stored?
The School stores personal data in electronic format and in hard copy format. We have strict access policies in place, including our IT Security Policy and other associated policies, to ensure that only authorised persons can access your personal data. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. The School has put in place appropriate security measures to protect your personal data from being accidentally lost, or used, accessed, altered, disclosed or destroyed unlawfully. The School has procedures to deal with any information security incident effectively and in compliance with Data Protection Law, including complying with requirements to notify you and the UK ICO where appropriate of any personal data security breach.
How long do we retain your personal data for?
The School retains personal data only for so long as is necessary for the purposes for which the personal data was collected, including satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the volume, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Further information can be found in our Records Retention Schedule.
Who do we share your personal data with?
We may need to share some of your personal data with third parties in order to fulfil our purposes and for those third parties to provide services to us to support our operations and activities. When we share personal data with a third party, we will always make sure that we have the necessary contracts in place to ensure the security of your personal data, that those third parties act on our instructions and do not use the personal data for their own purposes. We will only share that data in accordance with the law. All these third parties are required to take appropriate security measures to protect your personal data in line with our own policies and to comply with Data Protection law. We may also need to share your personal information with a regulator to comply with the law.
Examples of third parties we may share personal data with include:
• administrative database providers
• email marketing providers
• postal direct mail providers
• educational service (including online) providers
• local authorities
• pension providers
• IT services including cloud storage providers
• Medical professionals
• consultancy organisations who may analyse our data
• professional advisers
• regulatory bodies
Transfers of personal data outwith the EU
Some of our processes may require us to transfer data outside of the EU, for example, this occurs when we use a third-party processor who have servers based outside of the EU, e.g. in the USA. The European Commission has issued an adequacy decision in relation to transfers to the USA, under the EU-US Privacy Shield Framework. For transfers to third parties not covered by specific agreements such as the Privacy Shield Framework, we will always ensure that any transfers of personal data are subject to appropriate safeguards, either under adequacy decisions or binding corporate rules or standard contractual clauses put in place by the appropriate regulatory bodies.
Individual rights under Data Protection law
In certain circumstances, individuals have the legal right to:
Request access to their personal information. This is known as a subject access request. Individuals can request a copy of the personal data we hold about them and check that we are processing it in accordance with the law.
Request correction of the personal data we hold about them and have any incomplete or inaccurate data we hold about them corrected.
Request erasure of their personal data, where they consider that there is no good reason for us continuing to process it.
Object to the processing of their personal data, where we rely on a legitimate interest ground for processing and there is some reason why the individual wants to object to processing on this ground. Individuals also have the right to object to processing where we are processing their personal data for direct marketing.
Request the restriction of processing of their personal data, by asking us to suspend the processing of personal data, for example, to establish its accuracy or the reason for processing.
Request the transfer of their personal data to another party.
Contact point for you to exercise your individual rights
If you want to request access to, review, verify, correct or request erasure of your personal data, object to processing of your personal data or request that we transfer a copy of your personal data to another party, please contact DPO at the address listed on Page 2 of this Privacy Notice. Ordinarily, you will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, if your request for access is clearly unfounded or excessive, we may charge a reasonable fee for access or refuse to comply with the request.
Before you can exercise your rights as an individual, we may need to request specific information from you to help us confirm your identity and ensure your right to access the data (or to exercise any of your other rights). This may be necessary to ensure that your personal data are not disclosed to an unauthorised person.
Exercise of rights by children/pupils
The School recognises that children have rights under Data Protection Law in relation to their personal data.
For the purposes of delivering our obligations under the Parent/Pupil contract with the School, we will usually liaise with parents and share personal data of their children with them, e.g. relating to their child’s progress and behaviour, school activities and the general well-being of their child. Where a pupil seeks to raise concerns confidentially with an employee of the School and expressly withholds heir agreement to their personal data being disclosed to their parents, we may be under an obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise, for example, where we reasonably consider that disclosure is likely to be in the best interests of the pupil in any given circumstances, or where disclosure is required by law.
A person with parental responsibility will generally be entitled to make a subject access request on behalf a pupil, but the information in question is always considered to belong to the individual to whom the personal data relates and in some cases a mandate from the pupil may be required. In Scotland, the law presumes that a child aged 12 years or more has the capacity to exercise their rights under Data Protection Law. A pupil of any age may ask a parent or other representative to make a subject access request on their behalf. Moreover (if of sufficient maturity), the consent or authority of the child may need to be sought by the parent(s) making such a request.
If you have any concerns over how you think we are using your personal data, please contact our DPO in the first instance at the address listed earlier in this Privacy Notice. You also have a right to complain to the UK ICO at any time about our processing of your personal data.
The UK ICO can be contacted at:
Information Commissioner’s Office
Tel: 0303 123 1113
Policy updated: 17 May 2018