Privacy notice – Introduction
Fettes the Venue (FTV) is part of Fettes Enterprises Ltd with registration number SC187460. FTV is a Data Controller for the purposes of Data Protection Law (the Data Protection Act 2018, the General Protection Regulation (EU) 2016/679 and any legislation that, in respect of the United Kingdom, replaces, or enacts into United Kingdom domestic law, the General Data Protection Union (EU) 2016/679, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection), which means it determines how an individual’s personal data is processed and for what purposes.
Fettes the Venue is located within Fettes College, an independent boarding and day school. Some of the additional policies mentioned in this document relate to policies managed by Fettes College due to the nature of both organisations operating within the same grounds.
Fettes the Venue aims to promote and provide a venue for events, weddings and residential lettings.
About this policy
This Notice is intended to provide information about how FTV will use (or “process”) personal data about individuals including: its personnel, its current, past and prospective clients and guests.
This information is provided in accordance with the rights of individuals under Data Protection Law to understand how their data is used. FTV’s personnel, clients, prospective clients and visitors are all encouraged to read this Privacy Notice and understand FTV’s obligations to its entire community.
This Privacy Notice also applies in addition to FTV’s other relevant notices and policies, including:
- any contract between FTV and its staff and clients;
- FTV’s policy on taking, storing and using images;
- FTV’s policy on the use of CCTV (managed by Fettes College);
- FTV’s retention of records policy;
- FTV’s safeguarding and pastoral policies
- FTV’s Health and Safety policy, including how concerns or incidents are recorded;
- FTV’s IT policies, including its Acceptable Use policy and Online Safety policy (managed by Fettes College)
Whose data we collect
We collect data relating to individuals who fall into one or more of the categories listed below. This list is not exhaustive and represents the current, former and prospective stages of each category in the list:
- Suppliers and contractors
Purposes for processing personal data
In order to carry out its ordinary duties to clients, staff, students and parents, FTV may process a wide range of personal data about individuals (including current, past and prospective staff, students or parents) as part of its daily operation.
Some of this activity FTV will need to carry out in order to fulfil its legal rights, duties or obligations – including those under a contract with its staff, clients, guests and students. Other uses of personal data will be made in accordance with FTV’s legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impact on data subjects, and provided it does not involve special or sensitive types of data. Examples of such interests are included below under “Examples of how we might use your information”.
In addition, FTV may need to process special category personal data (concerning health, ethnicity, religion, biometric data or sexual life) or criminal records information (such as when carrying out PVG checks) in accordance with rights or duties imposed on it by law, including safeguarding and employment, or from time to time by explicit consent where required. These may include:
- To safeguard students’ welfare and provide appropriate pastoral (and where necessary, medical) care and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual’s health to medical professionals where it is in the individual’s interests to do so.
- To provide educational services in the context of any special educational needs of a pupil;
- In connection with employment of its staff, for example PVG checks, welfare or pension plans;
- For legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with its legal obligations and duties of care.
Examples of how we might use your information
The below is a list of FTV’s processing activities that may fall within its, or a third party’s legitimate interest. We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.
How we might use your information to manage your contract with FTV
- To provide access to facilities and services offered by FTV;
- To safeguard students’ welfare and provide appropriate pastoral care;
- To process financial transactions to ensure the efficient and timely management of payment to use our facilities;
- For security purposes, including CCTV in accordance with the School’s CCTV policy;
- Where otherwise reasonably necessary for FTV’s purposes, including to obtain appropriate professional advice and insurance for Fettes Enterprises Ltd.;
- To send updates to clients about the FTV’s activities that clients can get involved in or any other relevant news about FTV;
- Invitations to events;
- To market FTV to former clients or prospective clients where we have consent to do so
How we might use your information if you are a prospective, existing or former employee
- To manage the recruitment process
- Processing PVG application forms
- Paying salaries, pension contributions and tax
- For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as diversity or gender pay gap analysis and taxation records);
- Managing leave, disciplinary actions, grievance procedures
- To provide a safe and secure working environment
What information we collect
We will only store relevant data that allows us to fulfil our purposes outlined above. Data is generally collected directly from individuals when they enter into a contract with FTV. Additional data is collected during an individual’s relationship with FTV.
Examples of the data we store include:
- Names, addresses, contact phone numbers, email addresses;
- Familial relationships;
- Bank details and financial transactions;
- Where appropriate, information about individuals’ health and contact details for their next of kin;
- Correspondence, attendance at meetings or events, meeting notes;
- References given or received by FTV about staff or prospective staff or information provided by previous employers and/or other professionals or organisations;
- Images and video footage of clients and students (and occasionally other individuals) engaging in FTV activities and images captured by the School’s CCTV system (in accordance with the School’s policies on CCTV and Taking, Storing and Using Images of students);
- Car details (about those who use our car parking facilities);
- Information, such as CVs, relating to past, present and prospective FTV personnel;
- Higher education, profession, employment information;
- Affinity, engagement;
- Biometric data
- Health/medical data
- Criminal data
Where your information is stored
Data is stored both electronically and in hard copy format where necessary. There are strict access policies in place where only authorised personnel can access the information they require. Data storage locations may include:
- Centralised administration databases
- Shared internal hard drive
- Individual hard drives
- Personal laptops, phones and iPads – may contain temporary notes that will be transferred to a central location
- Filing cabinets
- Third parties (See below for more information on data that is shared with third parties)
How we keep your information secure
All those who have access to, and are associated with the processing of, personal data are legally obliged to respect the confidentiality of any data they need to access in order to carry out their work and are obliged to process data in accordance with our internal policies outlined in ‘About this Notice’.
How long we keep your data for
As per our internal Retention Policy, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Sharing data with third parties
We may need to share some of your data with a third-party provider to fulfil our purposes. When we share data with a third party we will always ensure that we have the necessary contracts in place to ensure the security of your data. We will only share special category data, securely, with a third party if it is our legal obligation or in order to provide onsite medical care. Examples of third party processors may include:
- Administrative databases
- Email marketing providers
- Direct mail service providers
- Educational service (including online) providers
- Local authorities
- Pension providers
- IT services including cloud storage providers
- Appointed GP Practice
- Consultancy organisations who may analyse our data
- Professional advisors
Transfer of personal data outside of the EEA
Restrictions of data leaving the EEA are in place to ensure that the level of data protection available to individuals within the EEA is not compromised.
Some of our processes may require us to transfer data outside of the EEA. Generally, this occurs when we use a third-party processor who have servers based outside of the EEA. In these instances, we will ensure that the appropriate safeguards in place to ensure an individual’s data protection rights are met.
Getting in touch
If you would like to get in touch to update your information, amend your preferences, change the way we process your information or for any general data protection enquiries, you can do so by using the following means:
Post: Fettes the Venue, Fettes College, Carrington Road, EH4 1QX
Phone: +44 (0) 131 311 6971
If you feel your data has not been used in accordance with this policy, please notify us by using the contact details outlined above. We do hope that any matters of complaint may be resolved between the complainant and Fettes Enterprises Ltd, however, if you feel the need to leverage any complaint where there has been no satisfactory resolution in dealing directly with Fettes Enterprises Ltd, you may contact the ICO ico.org.uk/, who are the governing body for data protection information in the UK.
The rights under Data Protection Law belong to the individual to whom the data relates. For the purposes of delivering our obligations under the FTV contract, we will usually liaise with the parent and share student data with them relating to their child’s progress and behaviour, FTV activities and the general wellbeing of their child.
Where a student seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, we may be under an obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise; for example, where FTV believes disclosure will be in the best interests of any child or is required by law.
How to find out if we are processing your data and request a copy of your information
You have the right to ask if your data is being processed by us and the right to ask for a copy of the data related to you that we are processing. A person with parental responsibility will generally be entitled to make a subject access request on behalf a child, but the information in question is always considered to belong to the individual to whom the data relates. In Scotland, the law presumes that a child of 12 years or more has the capacity to exercise their rights under the Data Protection Law. A child of any age may ask a parent or other representative to make a subject access request on their behalf. Moreover (if of sufficient maturity) their consent or authority may need to be sought by the parent making such a request. Requests for data that are excessive or repetitive will be subject to a fee.
How to have your data amended or deleted
You have the right to have inaccurate data rectified or completed (if it is incomplete), or have your data erased. Some exceptions may apply where we have another lawful reason to continue to process your data.
How to stop us using your data for certain purposes
You have the right to withdraw consent (if it was given) or object to certain processes, such as fundraising activities, as long as it does not interfere with contractual or lawful obligations that we still may need to fulfil.
How to transfer data
You have the right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
To act upon any of your rights outlined above please contact us using the details provided. Requests may be made verbally or in writing. We will aim to respond to any such requests within one month of receipt. We may need to take steps to confirm the identity of the requestor depending on the method in which the request was made. Some requests (or part thereof) may be refused and in such cases, we will respond outlining the reason for refusal.