Last updated: 9 November 2023
For the purposes of this Privacy Notice, “UK Data Protection Legislation” is defined as, for the periods in which they are in force, the UK GDPR / Data Protection Act 2018, all laws giving effect or purporting to give effect to or otherwise relating to data protection (to the extent the same apply).
In this notice (the “Privacy Notice”), “CST”, “NTA”, “the Group”, “we”, means Confederation of School Trusts.
The Group includes:
- Confederation of School Trusts (Company number 05303883)
- CST Professional Development Limited (Company number 10354936)
- National Teacher Accreditation Limited (Company number 08650911)
The Group are committed to respecting your privacy.
For the purposes of data protection law the Group is a data controller in respect of your personal data. The Group are responsible for ensuring that the Group use your personal data in compliance with data protection law. The below clauses in this Privacy Notice set out the basis on which any personal data about you, that you provide to us, that the Group create or that the Group collect or generate about you, will be processed by us. This Notice explains how the Group will collect, store and use any personal data you provide via our website, email or networking with our people and when you otherwise communicate with the Group (including in the course of the services the Group provide or the running of our business).
This Privacy Notice also applies to any person whose personal data has been provided to the Group by an agent or direct or indirect owner of a member’s and non-member’s or by an employer or where the Group otherwise use a person’s personal data.
This Privacy Notice may change from time to time and if it does, the up-to-date version will always be available on our website and becomes effective immediately.
Reference to “members and non-members” includes, schools, trusts, individuals and all other potential customers or clients for the Group.
Who the Group are
The Group are registered in the UK, with our registered office address at Suite 1, Whiteley Mill, 39 Nottingham Road, Stapleford, Nottingham NG9 8AD.
- Confederation of School Trusts (CST) ICO registration number is Z328623
- CST Professional Development Ltd (CSTPD) ICO registration number is ZA241127
- National Teacher Accreditation (NTA) ICO registration number is ZA483214
Further company details are set out on our websites(): https://cstuk.org.uk/ and https://nta.org.uk/
For the purposes of Data Protection legislation, CST is the Data Controller for all CST and CSTPD data and information. This means it is responsible for the protection of personal information about you.
CST Professional Development is part of the Group, of which this entity is a joint controller in respect of all personal data where Confederation of School Trusts is a controller.
NTA is the Data Controller for all NTA related data and information and have a Data Sharing Agreement between NTA and CST as required.
As data controllers the Group is responsible for all personal information that they collect, and they are liable if that information is breached.
Types of personal data the Group collect
The type and amount of information we collect depends on why you are providing it.
The information we collect when you make an enquiry to the Group includes your name, role, trust name/school, telephone number and email address.
If you are applying to be a member of the Group, we will ask for details of your Trust/School which will include the name of your Trust/School and the name of your Accounting Officer. We will also ask for details about your Trust/School and which type of membership you wish to apply for. We then ask for details of the executive and governance leaders and member of the central services team in your Trust who would like to be directly included in membership and receive full benefits by email – this includes job title, title, name and email address and whether they are National Leaders of Education. You will also be asked for your email preferences.
If you sign up for an event, or to be part of a network or one of our programmes, in addition to asking for the name, telephone number, email address and role/position of the person making the booking, we also ask for the Trust/school name. We then ask for the title, name, position and email address of each of the attendees being booked onto the event or network. You will also be asked for your email preferences. For our programmes, our Governance Advisory Service or any bespoke training, we may ask for further information in order to ensure that you receive the best outcomes from these services.
For any payment, we will keep copies of your bank details if we need to make regular payments to you – for example refunding travel expenses, doing consultancy work.
If you are a job applicant, the information you are asked to provide is as set out in the application and necessary for the purposes of our considering the application.
NTA SPECIFIC REQUIREMENTS
THE GROUP MAY COLLECT AND PROCESS THE FOLLOWING DATA ABOUT YOU:
Information provided to the Group by you or representative in connection might include:
- Your name and title;
- Contact information, including postal address, telephone number and email address, (including proofs of name and address).
- Date of birth, nationality, National Insurance number, Teacher Reference Number, photograph, signature and copies of identity documents;
- Occupational history, job title;
- Bank details or other financial information as required;
How the Group collect information
The group may collect information from you whenever you contact us or have any involvement with us for example when you:
- visit our website(s) (see our Cookie policy)
- enquire about our activities or services
- ask for advice or support
- book on to an event or join a programme or a professional community
- join the Group as a member Trust/School
- post content onto our website(s)/social media sites
- attend a meeting (either face to face or virtually via Zoom or Microsoft Teams) with us and provide us with information
- take part in our face to face or virtual events
- commission a consultancy service
- provide consultancy work
- contact us in any way including online, email, phone, SMS, social media or post
Where the Group collect information from
The Group collect information:
- From you when you give it to us directly: You may provide your details when you ask us for information, join or register with us, attend our events or contact us for any other reason. Your information may be collected by an organisation we are working in partnership with but we are still jointly responsible for your information.
- When you have given other organisations or individuals permission to share it: Your information may be provided to us by other organisations if you have given them your permission. This might for example be a school registering you for ECT induction or a charity working with us or might be when you buy a product or service from a third-party organisation. The information we receive from other organisations depends on your settings or the option responses you have given them.
- When you use our website: When you use our website information about you is recorded and stored. See the information about the use of cookies under that heading below.
- When it is available on social media: Depending on your settings or the privacy policies applying for social media and messaging services you use, like Facebook, Linked-In, Instagram or Twitter, you might give us permission to access information from those accounts or services.
How the Group use your information
The Group will use your personal information in a number of ways which reflect the legal basis applying to processing of your data. These may include:
- providing you with the information or services you have asked for
- providing you with the benefits of membership, sending you communications with your consent that may be of interest including marketing information about our services and activities, events and publications and other situations for which we seek support
- registering ECTs with the Teaching Regulation Agency and maintaining records of progress reviews and assessments for each ECTs’ induction
- when necessary for carrying out your obligations under any contract between us
- seeking your views on the services or activities we carry out so that we can make improvements
- maintaining our organisational records and ensuring we know how you prefer to be contacted
- analysing the operation of our website and analysing your website behaviour to improve the website and its usefulness
- delivering outcomes from commissioned work with CST or CST Professional Development.
- processing grant or job applications
- manage our relationship with you (and/ or your school/trust), including by maintaining our database of members and non-members and other third parties for administration, accounting and or relationship management purposes
- to market certain services, events and content that may be of interest to you but only if you have give the Group your consent to do so or the Group are otherwise able to do so in accordance with applicable UK Data Protection Legislation.
LEGAL BASIS FOR PROCESSING YOUR INFORMATION
The group are entitled to process your personal data in the ways described above in this privacy Notice for the following reasons:
- Where you have provided information to us for the purposes of requesting information or requesting that we carry out a service for you, we will proceed on the basis that you have given consent to us using the information for that purpose, based on the way that you provided the information to us. You may withdraw consent at any time by emailing us at membership@cstuk.org.uk or admin@nta.org.uk. This will not affect the lawfulness of processing of your information prior to your withdrawal of consent being received and actioned.
- It is necessary for us to hold and use your information so that we can carry out our obligations under a contract entered into with you or on your behalf or to take steps you ask us to prior to entering into a contract.
- It is necessary to discharge relevant legal or regulatory obligations.
- Where the purpose of our processing is the provision of information or services to you, we may also rely on the fact that it is necessary for your legitimate interests that we provide the information or service requested, and given that you have made the request, would presume that there is no prejudice to you in our fulfilling your request.
- As part of our advocacy and support for you and as the sector body for School Trusts, we may from time to time, ask you to take part in research to build and support school Trusts within the education sector. This may involve sharing your information with partners in this research.
- The processing may also be necessary for the legitimate business interests of the Group, such as:
- carrying out our ordinary or reasonable business activities, or those of the applicable manager, or other persons, or other activities previously disclosed to our members and non-members or referred to in this Privacy Notice;
- ensuring compliance with all legal and regulatory obligations and industry standards, and preventing fraud;
- establishing, exercising or defending legal rights or for other purposes relating to legal proceedings;
- ensuring the security of information systems; and
- conducting marketing and promoting our business services.
- in respect of any processing of sensitive personal data falling within special categories, such as any personal data relating to the religious belief, gender/ sexual orientation, and any other special category data, the consent for processing will be explicitly obtained from the subject.
If you want to contact us about your marketing preferences, please contact membership@cstuk.org.uk, or call on 0115 917 0142. For NTA related marketing preferences, please contact admin@nta.org.uk or call on 07720 593542.
How we keep your information safe
We understand the importance of security of your personal information and take appropriate steps to safeguard it.
All electronic data is password protected, documented in the Password Policy distributed to all staff, consultants and contractors.
We always ensure only authorised persons have access to your information, which means only our staff, trustees and contractors, and we ensure that everyone who has access is appropriately trained to manage your information.
Disclosure of your data to third parties
The Group may from time to time, in accordance with the purposes described in this Privacy Notice above, disclose your personal data to other parties, including, but not limited to:
- any subsidiary/affiliates (including CST, CST Professional Development Ltd, NTA),
- service providers,
- support services,
- third parties and partners who enable research (for the good of the school trust or education sector),
- third parties in connection with or employed for an event run by the Group,
- analytics and search engine providers that help us to improve our website and its use consultants and contractors or their affiliates appointed in respect of your contract,
- professional advisers such as law firms or accountancy firms,
- other agents and contractors,
- counterparties,
- courts and regulatory, tax and governmental authorities and Department for Education (where applicable).
Some of these persons will process your personal data in accordance with our instructions, where they act as our data processor and others will themselves be responsible for their use of your personal data where they act as a data controller. This will depend on the purposes of our sharing your personal data. These persons may be permitted to further disclose the data to other parties.
We provide these third parties with the information that is necessary to provide the service and we will have an agreement in place that requires them to operate with the same care over data protection as we do.
We may also disclose your personal information if we are required to do so under any legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction, or where doing so would not infringe your rights, but is necessary and in the public interest.
Transfers of your personal data outside of the UK and European Economic Area
Information held by the Group is stored within our Cloud environment. Your personal data may be transferred to and stored inside of the UK and European Economic Area (the EEA).
Where personal data is transferred outside the UK/EEA, the group will ensure that the transfer is subject to appropriate safeguards by our affiliates or service providers.
You can obtain more details on the protection given to your personal data when it’s transferred outside the UK/EEA, including a copy of any International Data Transfer Agreements entered into with processors of your personal data, by contacting us using the details set out under Contacting the Group or Making a Complaint in this Privacy Notice.
The provision of certain personal data is necessary for the Group to provide the Service and for our compliance (and that of our service providers) with certain legal and regulatory obligations.
Safeguarding your information
The Group have extensive controls in place to maintain the security of our information and information systems. Appropriate controls (such as restricted access) are placed on our computer systems.
As a condition of employment, all employees are required to follow all applicable laws and regulations, including in relation to Data Protection Law. Unauthorised use or disclosure of confidential client information by an employee is prohibited and may result in disciplinary measures.
Keeping your information up to date
We really appreciate it if you let us know if your contact details change. You can do so by contacting any employee of the Group.
Our use of “cookies”
For more information on the cookies the Group use, please see our Cookie Policy.
How long we keep your information for
We will hold your personal information for as long as it is necessary for the relevant activity. Please see our Records Retention Policy.
Where we rely on your consent to contact you for direct marketing purposes, we will treat your consent as lasting only for as long as it is reasonable to do so. This will usually be for three years. We may periodically ask you to renew your consent.
If you ask us to stop contacting you with marketing or fundraising materials, we will keep a record of your contact details and limited information needed to ensure we comply with your request.
Your rights
You have the right to request details of the processing activities that we carry out with your personal information through making a Subject Access Request. To make a request please contact us at dpo@cstuk.org.uk (for CST or CSTPD) or dpo@nta.org.uk.
You also have the following rights:
- the right to request rectification of information that is inaccurate or out of date;
- the right to erasure of your information (known as the “right to be forgotten”);
- the right to restrict the way in which we are dealing with and using your information; and
- the right to request that your information be provided to you in a format that is secure and suitable for re-use (known as the “right to portability”);
- rights in relation to automated decision making and profiling including profiling for marketing purposes.
All of these rights are subject to certain safeguards and limits or exemptions, further details of which can be found in our Data Protection Policy.
If you are not happy with the way in which we have processed or dealt with your information, you can complain to the Information Commissioner’s Office. Further details about how to complain refer to Contacting the Group or Making a Complaint section below.
Children
The Group don’t and won’t knowingly collect information from any unsupervised child under the age of 13.
Marketing
The Group may collect and use your personal information for undertaking marketing by email, telephone and post.
The Group may send you certain direct marketing communications (including electronic marketing communications to existing members and non-members) if it’s in our legitimate interests to do so for marketing and business development purposes.
However, we’ll always obtain your consent to direct marketing communications where we’re required to do so by law.
You have the right to ask the Group not to process your personal information for marketing purposes. You can do this by contacting the Group by post or email using the details in the Contacting the Group or Making a Complaint section below.
Contacting the Group or Making a Complaint
If you would like further information on the collection, use, disclosure, transfer or processing of your personal data or the exercise of any of the rights listed above, please address questions, comments and requests to the Data Protection Representative at the Group, using the contact details below.
Email: dpo@cstuk.org.uk (for CST or CSTPD) or dpo@nta.org.uk
If you are not satisfied with the response you receive from us, then you can complain to the ICO:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113 or 01625 545 745 if you prefer to use a national rate number.
You can find out more information about your rights by contacting the UK’s Information Commissioner’s Office, or by searching the ICO website: https://www.ico.org.uk
Changes to this Privacy Policy
We’ll update or amend this Policy from time to time, to comply with law or to meet our changing business requirements. You should bookmark and periodically review this page to make sure that you’re familiar with the most current version and so you’re aware of the information the Group collect, how the Group use it and under what circumstances the Group disclose it.
You can see when our most recent update to this Privacy Notice was by checking the “Last updated” note at the top of this page. Do please check this Policy each time you consider giving your personal information to us.
Compliance
Exceptions to this policy must be approved by the Chief Operating Officer in writing.
All breaches of this policy, actual or suspected must be reported to your line manager initially. In certain cases, the incident may be raised with the Information Security/ Data Protection Team who will ensure it is investigated. Breaches of this policy may be considered as gross misconduct, and in certain cases lead to termination of employment and/or legal action/prosecution.