(Last updated 22nd May 2018) - download a pdf copy
1. General Information
The Association of Colleges (The AoC) is the membership body for colleges and exists to promote and support their interests. Everything AoC does is aimed at helping colleges deliver their purpose and to make an impact. The AoC believes that every community should be supported by a strong and successful college, which develops students, delivers relevant skills, and supports stronger communities, social justice, employers and the economy.
The AoC is committed to protecting the privacy and security of the personal information of students.
This privacy notice describes how the AoC collects and uses personal information about you during your time at the college for the shared MiDES benchmarking service for AoC members, in accordance with the General Data Protection Regulation (GDPR).
The aim of the MiDES service is to improve the performance of colleges by helping to ensure that they are providing a high-quality service for their local community. Participating colleges upload their student data file (Individualised Learner Record - ILR) to the MiDES server at regular points throughout the year. In return participating colleges receive the latest benchmarked reports, helping them to improve their performance.
The AoC is a “data controller”. This means that they are responsible for deciding how they hold and use personal information about you to deliver the MiDES benchmarking service. They are required under data protection legislation to notify you of the information contained in this privacy notice. Data is processed on behalf of AoC by RCU Ltd. who are the “data processor”.
This notice applies to current students “data subjects” who attend colleges whom are members of the AoC. This notice does not form part of any contract, and AoC reserves the right to update this notice at any time.
It is important that you read this notice and understand it, together with any other information notice provided on specific occasions when AoC are collecting or processing personal information about you, so that you are aware of how and why AoC are using such information.
2. Data protection officer
AoC have appointed a data protection officer (DPO) to oversee compliance with this information notice. If you have any questions about this information notice or how AoC handle your personal information, please contact the DPO@aoc.co.uk.
If at any point you believe the information we process on you is incorrect you can request to see this information, and have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data, you can contact AoC’s Data Protection Officer DPO@aoc.co.uk.
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the Information Commissioner’s Office.
3. Data protection principles
AoC will comply with data protection law. This says that the personal information AoC hold about you must be:
1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is not with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely.
4. The kind of information AoC collects about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are “special categories” of more sensitive personal data which require a higher level of protection.
The MiDES service has been designed and developed to minimise the use of and access to personal data (see section 5 below). The service uses information from student records (ILR) collected by colleges to create national shared benchmarks. The service uses the following categories of personal information about you:
• Course details and overall performance
• Date of birth, home location, gender
AoC will also collect, store and use the following “special categories” of more sensitive personal information about you:
• Ethnic origin
• Learning difficulties, learning disabilities and/or health problems
5. How is your personal information collected?
AoC collect personal information about students from colleges through the Individualised Learner Record (ILR). Participating colleges upload this data to a secure server managed by RCU Ltd a partner of AoC and the data processor.
Colleges are advised to remove key personal fields (name, address, email address, national insurance number) from the data prior to upload using tools designed for this purpose. This means that all information which allows data to be attributed to a specific person apart from a student reference number and postcode is removed. Data is uploaded using a secure encrypted SSL link to a cloud-based server where it is held in encrypted format removing any risk of access to personal data.
When all colleges have uploaded data the datasets are downloaded to RCU via a secure encrypted SSL link where any remaining personal identifiers are removed and aggregated college level reports are produced. These reports DO NOT CONTAIN PERSONAL DATA. In any event, any personal data held by RCU will be deleted within three years from collection (three years is required for trend analysis).
6. How AoC will use information about you
AoC will only use your personal information when the law allows us to. AoC will use your personal information for producing MiDES benchmarking reports.
AoC’s lawful basis for processing personal data for MiDES reports is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller in accordance with GDPR Article 6(1)(e).” The public interest is for helping member colleges to understand, review and improve performance through a shared benchmarking service, ensuring that they meet their obligations under the Education Act (2011) to review the educational character of the institution and its mission and to have oversight of its activities.
7. How AoC uses particularly sensitive personal information
MiDES reports also include the following special categories of data (personal sensitive); - ethnicity and learning difficulty and/or disability (LLDD) and great care is taken to ensure that this information is only presented at an aggregate level in the reports and during the transfer or analysis learner records are anonymised and/or encrypted. AoC’s lawful basis for processing this information is “necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1) of GDPR”. The purpose in this instance is to provide information that will help member colleges meet their obligations under the Equality Act (2010) and to promote social mobility.
Recipients or categories of recipients of the personal data:
RCU Ltd (as the Data Processor)
8. Rights of access, correction, erasure, and restriction
Your rights in connection with personal information.
Under certain circumstances, by law you have the right to:
• Request access to your personal information (commonly known as a “data subject access request”). This allows you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that AoC hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
• Object to processing of your personal information where AoC are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer identified under point 1 above, in writing.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
9. Data sharing
The following third-party service providers process personal information about you for the following purposes:
RCU Ltd as the data processor, shall process data solely for the purposes of the MiDES benchmarking service.
10. Data security
AoC and RCU Ltd have put in place extensive measures to protect the security of your information. Details of these measures are available upon request.
RCU will only process your personal information on AoC’s instructions and where they have agreed to treat the information confidentially and to keep it secure.
RCU have put in place detailed security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. RCU will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from our Data Processing Officer as identified under point 1 above.
RCU have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where legally required to do so.
11. Data retention
AoC will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Once AoC and / or any third parties have anonymised your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.