Oxford Catalyst takes the privacy and information security of customers, potential customers, students and their parents/guardians extremely seriously. We collect, use and are responsible for certain personal information about individuals. When we do so we are subject to General Data Protection Regulation (GDPR)*, which describes how organisations must collect, handle and store information. The rules apply regardless of how data is stored.
[*NB As a European Regulation, GDPR has a direct effect in UK law and automatically applies in the UK until we leave the EU (or until the end of any agreed transition period, if we leave with a deal). After this date, it will form part of UK law under the European Union (Withdrawal) Act 2018, with some technical changes to make it work effectively in a UK context.]
This policy applies to the entire Oxford Catalyst workforce, including staff members, contractors and all other people working on behalf of the company. The policy applies to all data that the Company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act.
Oxford Catalyst, as a “controller” of individuals’ personal information will comply with the principles of the Data Protection Act 2018 by ensuring that personal data is:
Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Not kept for longer than is necessary
Processed in line with individual’s rights
Not transferred to other countries without adequate protection
"Processing" means doing anything with the data, such as accessing, disclosing, destroying or using the data in any way.
Personal data we collect about individuals
"Personal data" means recorded information we hold about individuals from which they may be identified. It may include contact details, date of birth, gender, race, ethnicity, religious beliefs, orientation, medical and dietary information, education history, billing details and financial information, photographs, contact history, assessment results, expressions of opinion about individuals, or indications as to our intentions about them.
This personal information is required to provide services to the students who register with us, or to provide information about services individuals may be interested in receiving from us. If individuals do not provide personal information we ask for, it may delay or prevent us from providing information or services to them.
How we collect personal information
We collect most of this personal information directly from individuals or their parents/legal guardians - in person, by telephone or Skype, text or email, via application or enrolment documentation they may complete, and/or via enquiries on our website.
How and why we use personal information
Under data protection law, we can only use an individual’s personal information if we have a proper reason for doing so, eg to comply with our legal and regulatory obligations; to enable us to fulfil our contract with an individual, or to take steps at their request before entering into a contract; to detect and minimise fraud; to ensure safe working practices and health and safety regulations are met; where there is a valid business or commercial reason to use an individual’s information, so long as this is not overridden by their rights and interests; for statistical analysis and auditing purposes or where an individual has given consent.
Special category personal information (eg information revealing an individual’s health, race, or religious beliefs) will only be processed with individual’s explicit consent.
Oxford Catalyst may use an individual’s personal information to send updates (by email, text message, telephone or post) about our services, including promotions or new services. We have a legitimate interest in processing personal information for promotional purposes, which means we do not usually need an individual’s consent to send them relevant promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.
We will always treat an individual’s personal information with the utmost respect and never sell or share it with other organisations for marketing purposes.
An individual has the right to opt out of receiving promotional communications at any time by:
contacting us at email@example.com
using the ‘unsubscribe’ link in emails or ‘STOP’ number in texts, if any
We may ask individuals to confirm or update their marketing preferences if they instruct us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.
Sharing personal information
We may share personal information with third parties, agencies, consultants and contractors we use to help us run our business, eg Lady Margaret Hall’s accommodation, catering and facility staff, teachers and teaching agencies, our bank and payment service providers, insurance providers, suppliers of personalised student materials, introducer agents and agencies, account auditors, events hosts and organisers, and marketing agencies.
We only allow our service providers to handle an individual’s personal information if we are satisfied they take appropriate measures to protect their personal information.
We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations
We will not share an individual’s personal information with any other third party.
Where personal information is held
Information may be held at our offices and those of our third-party agencies, service providers, representatives and agents as described above.
How long personal information will be kept
We will keep an individual’s personal information while we are providing services to them. Thereafter, we will keep personal information only for as long as is necessary:
to respond to any questions, complaints or claims;
to safeguard our students;
to keep records of course attendance;
to keep records required by law;
to keep in touch with an individual at their request.
Different retention periods apply for different circumstances/types of personal information, including, for example, if a student experiences a medical emergency during their time with us. When it is no longer necessary to retain an individual’s personal information, we will delete or anonymise it.
Rights of the individual
Individuals have the following rights:
The right to be provided with a copy of their personal information
The right to require us to correct any mistakes in their personal information
The right to require us to delete their personal information in certain situations
The right to require us to restrict processing of their personal information—in certain circumstances, eg if the accuracy of the data is contested
The right to receive the personal information they provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third partyin certain situations
The right to object at any time to their personal information being processed for direct marketing (including profiling)
The right to object in certain other situations to our continued processing of their personal information, eg processing carried out for the purpose of our legitimate interests
The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal and/or significant effects concerning them
These rights may be exercised free of charge. For further information on each of those rights, including the circumstances in which they apply, please see Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the GDPR.
To exercise any of those rights, please email us at firstname.lastname@example.org with enough information to identify you (eg your full name and address) and tell us what right you wish to exercise and the information to which your request relates.
Rights to student data
Under English law once people reach the age of 13 they have the right to consent to the use of their data for online services. Young people who are able to understand the concepts involved in data regulation and its corresponding rights also have the right to consent or object to the exercise of rights over their data by their parents or carers. Therefore, if an individual wishes to access a student’s data or exercise another right over that data we will first assess the student’s understanding of the relevant concepts and may then need to seek the student’s consent.
Keeping personal information secure
We have appropriate security measures to prevent personal information from being accidentally lost or used or accessed unlawfully. We limit access to personal information to those who have a genuine business need to access it. Those processing personal information will do so only in an authorised manner and are subject to a duty of confidentiality. We will notify individuals and any applicable regulator of a suspected data security breach where we are legally required to do so.
How to complain
Oxford Catalyst will strive to resolve any query or concern raised about our use of personal information.
The GDPR also gives the right to lodge a complaint with a supervisory authority, in particular in any European Union (or European Economic Area) state where an individual works, normally lives or where any alleged infringement of data protection laws has taken place. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or by telephoning: +44 303 123 1113.
Oxford Catalyst, September 2019