Privacy Notice for Students

When you visit the College website, cookies are used to enable us continually to enhance our websites functionality and performance making it as easy as possible for you to use. We utilise first party cookies (originating from us) to simply track your visits between sessions and deliver a more personalised experience and third party cookies (not originating from us) to provide analytic information. In order to access authenticated areas of the website (e.g. applying for a course) it is essential that cookies are enabled and allowed. Other (non-essential) cookies are also used to store individual preferences (e.g. font sizes). It is for these reasons that a cookie free version of this website is not available.

In addition, we use Google Analytics to provide additional information regarding visitors to our site. To opt-out of Google Analytics tracking, please visit the Google Analytics Opt-out for details of available browser plug-ins.

For administrative and business purposes the College needs to hold certain personal information about students. This information is provided by you during the application and enrolment process. Whilst the majority of information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with the GDPR, we will inform you whether you are required to provide certain information to us or if you have a choice in this.

The personal information we hold includes:

• personal data (Name, DoB, contact details, emergency contact details, NI number)
• characteristics - mandatory (sex, ethnicity, language, nationality, residency status)
• characteristics – optional (learning difficulties or disabilities, household status, employment status, in the armed forces, in receipt of free school meals or help from other government agencies)
• optional sensitive information (religion, sexual orientation, preferred gender)
• copies of passports (overseas students)
• qualification information
• relevant medical information, including records from the counselling service, if you use the service
• Special Educational Needs, or EHCP information where applicable
• details of benefits claimed where applicable
• financial information for fee paying students where applicable
• Technical data e.g. IP address/usage etc.
• CCTV

Additional information from third parties:

• SSEN and EHCP – from the Local Authority
• Unique Learner Number – from Learner Records Services
• References – from previous school
• previous qualifications - from Learner Records Services
• Name and email address when registering for College open events - from EventBrite

Your personal information that the College holds is required in order to deliver the training courses on which you have enrolled. If you do not wish to give your personal information, then the College may not be able to offer you a place on a course and may withdraw any offer already made.

We use this information to:

• register you with the appropriate awarding body
• support your learning
• to protect student welfare and carry out safeguarding activities
• monitor and report on progress
• provide appropriate pastoral care
• assess/ensure fairness and equality of our services
• provide academic confirmation reports/references to future employers or educational establishments
• comply with the law regarding funding for education
• receive funding from the appropriate source, e.g. ESFA, Student Finance England, Sponsor
• publication of the annual graduation programme and production of associated merchandise
• keeping you informed of courses available at the College

Under the GDPR, it is necessary for the College to demonstrate the lawfulness of processing your personal information under the following articles:

• Article 6(1)(e) – the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Article 9(2)(g) – the processing is necessary for reasons of substantial public interest.

The lawful reasons for processing your personal information are:

• Consent given freely by you, by signing the enrolment form, or the Open Event contact details form
• for the delivery of the contract to which you are party – i.e. delivery of educational training courses
• for legal obligations to which the College must comply
• in order to protect your vital interests
• legitimate interest

The full list of personal data, the lawful reason for holding it and the length that we will hold it for is listed in the Record of Processing Activities (see Appendix A).

If you make enquiries or apply for a course, but do not to take up a place, you have the right to request that all of your information is removed from our records. Once this request has been made your details will be removed from our records within one month from the request.

If you enroll on a course we will hold your personal information for six years after you have left the College. After six years, we will retain details of your name, date of birth, courses attended and outcomes (and results in the case of University of Surrey students). Contact details and financial details will be maintained for students that remain in debt to the College.

Your personal information will be shared with other organisations for purposes of administration, the provision of career and other guidance and statistical and research purposes, relating to education or training.

Other organisations include:

• Awarding body for your qualification
• Your employer if you are sponsored / on an apprenticeship
• Debt Collection Agency for debtors
• the Department for Education
• the Department for Business Innovation and Skills
• Local Authorities
• Higher Education Statistics Agency
• Higher Education Funding Council for England/Office for Students
• Auditors
• Educational Institutions and organisations performing research and statistical work on behalf of the government funding bodies, or partners of those organisations
• Recruitment and screening agencies for the purposes of academic references
• Printing companies for graduation programmes, and merchandise.

Before sharing any personal data, it will be confirmed that the organization is registered as a data controller or data processor with the UK Information Commissioner’s Office and are GDPR compliant.

The College uses software to store the data we hold and the software providers have access to your personal data as part of their role in maintaining the software– Capita, MyConcern, Forskills. These organisations are registered as data controllers with the UK Information Commissioner’s Office and are GDPR compliant.

We do not share your information with anyone outside of the UK unless specifically requested by you.

Electronic data is stored within the college IT infrastructure, which has restricted access and a variety of other measures in place to ensure its secure. Any data shared outside the organisation is done so via means of encrypting the content.

Under data protection legislation, you have the right to request access to the information that we hold about you. A request to access your personal information is known as a ‘Subject Access Request’ and must be made in writing to the Data Protection Officer.

You also have the right to:

• withdraw your consent to process data, where the lawful basis is stated at ‘Consent’
• object to processing of personal data that is likely to cause, or is causing, damage or distress
• prevent processing for the purpose of direct marketing
• have inaccurate personal data rectified
• have your details erased from our records when they are no longer necessary or have been unlawfully processed
• receive a copy of the data that you have provided in a machine readable format (known as data portability)

If you wish to exercise any of the rights set out above, please complete the form available on the College website, or contact dpo@farn-ct.ac.uk for a copy of the form.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. (Alternatively, we may refuse to comply with your request in these circumstances.)

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/