Cardiff Steiner School Privacy and Cookie Policies

Cardiff Steiner School is the operating name of Cardiff Steiner Early Years Centre Ltd, a registered charity number 1149061 and a company limited by guarantee number 07998357.

Privacy Notice for Pupils

Cardiff Steiner School is responsible for looking after your personal information.  When we say “we” in this notice, this means Cardiff Steiner School.  We are required by law to look after the information we hold about you; this notice tells you how we do this.

Personal information is any information which is about you, from which you can be identified.

Please make sure you read this privacy notice carefully. If you would like more information, please speak to Miranda Knight.

What personal information might the School hold about you
  • Your full name, date of birth, class and photograph;
  • Your home address, home telephone number and mobile number;
  • Your personal email address;
  • Your academic records and test results;
  • Your medical records (including special education needs and/or accidents); and
  • Your religion or ethnicity.
Information we receive from, and share with, other companies

We will share your information with your parents. If you are not British, we may have to provide information about you to UK Visas and Immigration.

We may work with other institutions such as your previous or new school, nurses or doctors, school photographers, local authorities, social services, police (where there are concerns with your safety), education authorities, ALN co-ordinators, and the school’s professional advisors. We might receive or share information about you from them or give information to them.  We will only do so as set out in this notice. We may also use CCTV footage to ensure the school is safe and monitor who is visiting the School. See ‘Transfer of personal information outside the country’ below for more details.

Contact us if you have any further questions

If you have any questions about this notice then please speak to your teacher.  We have a Data Protection Co-ordinator, Jenny Grewal, who can explain in more detail how your information is looked after.

How the School uses your information

We will use the information you and your parents give us as is necessary to provide you with the information and services that your parents request from us (to look after you, teach you and to deal with any queries they may have). We are also required by law to take a register, keep a personal file about you, keep a record of your behaviour and provide a written report on your progress.

We also use your information to promote the objects and interest of our schools, ensuring the most efficient management of the school and ensuring that the school’s legal obligations are adhered to; and use your photograph as part of a manual ID system.  These are known as “legitimate interests”.

Help from third parties. We rely on software applications and other technology provided by other people to handle your information. These include text and email messaging communications and cloud-based data storage. The companies we use to deliver these applications are carefully chosen by us to ensure that your information is kept secure. See ‘Transfer of personal information outside the country’ below for more details.

Sensitive Personal Data

When we hold details about your health and wellbeing, this information is called “sensitive personal data” which means we treat this information even more carefully. We will need to hold sensitive personal data about you (a) for carrying out our obligations in the field of social security or social protection law, (b) for identifying medical problems or provision of health care or (c) to protect your vital interests. To achieve this, we may also use software applications and other technology.

Where we need your consent

We get your or your parent’s permission if we use any photos  of you on any of our marketing materials (including our prospectus or website or Social media). You may withdraw your permission should you wish by letting Jenny Grewal know.

You do not have to give us details about your religion or ethnicity if you do not want to. If you do, we will use this to help run the school (e.g. if your religion means that you have certain dietary requirements) and to monitor equal opportunities. You can ask us to delete this information at any time.

Transfer of personal information outside the country

Sometimes your information will need to be transferred to, and stored outside the UK. We take all steps reasonably and legally necessary to ensure that your information is safe.

For the New Zealand Certificate of Steiner Education (NZCSE) in Upper School we regularly transfer your personal information to New Zealand and SEDT who are the  educational company who manage and develop the Certificate in New Zealand and overseas. This includes use of the Tarn Group’s Bracken Platform application. Bracken requires users to create a unique user name and password that must be entered each time a user logs on. Bracken issues a session “cookie” only to record encrypted authentication information for the duration of a specific session. When required a user can access secured areas of their website which protects your information using both server authentication and data encryption, ensuring your data is safe, secure, and available only to authorised persons and are transmitted over a secure, encrypted connection.

Your Rights
  • Right to request access to your personal information (a “subject access request” or “SAR”).
  • Right to request correction of the personal information that we hold about you.
  • Right to request deletion of your personal information.
  • Right to object to processing of your personal information.
  • Right to request the restriction of processing of your personal information.
  • Right to request the transfer of your personal information to another organisation (e.g. another school).
  • Right to complain to the Information Commissioners Office about what we are doing with your information: https://ico.org.uk/concerns/.
How long we keep your personal information

We will not keep any personal information about you for any longer than is necessary. Generally, we keep your pupil record file until you are 25 (even if you have changed school) after which it is destroyed. We follow a personal data retention policy which determines how long we keep specific types of personal information for. For further information, please speak to Jenny Grewal.

Changes to this Privacy Notice

We may change this notice, we will let you know if we do.


Privacy Notice for Parents

Introduction

Cardiff Steiner School is committed to protecting and respecting your and your child’s privacy.  Cardiff Steiner School is the operating name of Cardiff Steiner Early Years Centre Ltd, a registered charity number 1149061 and a company limited by guarantee number 07998357. In this privacy notice, references to “we”, “us”, “our”, or ‘the School’ is a reference to Cardiff Steiner School.

1.1 This privacy notice sets out the basis on which any personal data we collect from you or your child, or that you provide to us, is handled by us. We also have a privacy policy for our pupils available on our website.
1.2 Please read the following carefully to understand our views and practices regarding your and your child’s personal data and how we will treat it.
1.3 For the purposes of the General Data Protection Regulation 2016/679 (GDPR), we are the data controller and our address is Cardiff Steiner School, Hawthorn Road West, Llandaff North, Cardiff CF14 2FL. Our ICO registration number is ZA164739
1.4 If you are reading this privacy notice online, we recommend that you print and retain a copy for future reference.

2 Information we collect about you

Information you give us

2.1 You may give us personal data about you, in a number of ways; these include:
2.1.1 using, visiting or interacting with our website (such as filling out forms or registering on our website);
2.1.2 visiting our school;
2.1.3 corresponding with us by phone, e-mail or post; and
2.1.4 sending information directly to us, for example when paying our fees, giving us medical records or information about your child’s health, completing school admission forms, signing our parent contract or providing information as requested by us and/or which is necessary from time to time.

2.2 The information you give us may include the following information about you and / or your child:
2.2.1 full name;
2.2.2 date of birth and year group;
2.2.3 contact details (including home address, e-mail address, and mobile, home and/or work phone number);
2.2.4 financial and credit card information;
2.2.5 photograph;
2.2.6 your child’s birth certificate, proof of your address, passport details, nationality and other information relating to immigration status;
2.2.7 education and health records (including additional learning needs, medical or physical conditions and/or accidents);
2.2.8 previous educational records and achievements;
2.2.9 (where appropriate) family circumstances (including your relation to the child and your marital status); and
2.2.10 religion and ethnicity.

2.3 With regard to each of your visits to our website we may automatically collect the following information:
2.3.1 technical information, including the Internet Protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and
2.3.2 information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our website (including date and time); pages you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our number.
2.4 Our website may contain links to and from the websites of our partner networks, advertisers, suppliers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.


Information we receive from other sources

2.5 We may be working closely with third parties (including, for example, your child’s previous or new school(s), medical practitioners, photographers, local authorities, education authorities, payment and delivery services, debt collectors, lawyers and credit reference agencies) and may receive information about you from them.
2.6 We may also use CCTV footage to ensure the school is safe. 

3 Cookies

3.1 Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our Cookie Policy which is made available on our website.

4 Contact Us

4.1 Questions, comments and requests regarding this privacy notice are welcomed and should be addressed to Jenny Grewal  at Cardiff Steiner School, Hawthorn Road West, Llandaff North,

5 Uses made of this information

Information you give to us

5.1 We will use the information you give to us to pursue the following legitimate interests:

5.1.1 to deliver educational services to your child;
5.1.2 to protect the welfare of your child, promote the objects and interest of our schools, ensure the most efficient management of the schools and ensure that the schools’ legal obligations are adhered to;
5.1.3 to store this information on the school’s chosen management information system;
5.1.4 to use your child’s photograph internally within the school for display in school halls or classrooms;
5.1.5 to manage any queries or disputes you or your child may have with us or that we have with you or your child;
5.1.6 to enforce our terms of use with you or any other contract we may have with you (including the Registration Contract);
5.1.7 where your child is attending our School, to provide you with information about other similar services we offer as part of the education and overall development of your child at the school – such as after school clubs or open days, School news, talks and parent information events and upcoming events your child may be involved in; and to send out surveys to you by email as part of our Parent Surveys which are part of our school improvement tool.
5.1.8 once your child has left the school, to keep you up to date with key school news and upcoming events; and
5.1.9 to send out surveys to you by email as part of our Parent Surveys which are part of our school improvement tool.

5.2 In order to pursue the legitimate interests referred to in paragraphs 5.1.1 and 5.1.3, our schools also rely on software applications and other technology to process personal data about you and your children. These include the school’s management information systems, text and email messaging communications, cloud-based data storage, SAGE software as part of our invoicing and billing system and Tarn Groups’ Bracken application for Upper School pupils (see ‘Transfer of personal information outside the country’ below for more details).  The third parties we use to deliver these applications are carefully chosen and vetted by us to ensure that, among other things, your and your child’s personal data is kept secure. For further information on the kind of technology we use, please contact our Data Protection Co-ordinator (see paragraph 4).

5.3 We will also use the information you give to us as is necessary to carry out our obligations arising from the contract (or potential contract) between you and us and to provide you with the information and services that you request from us. For example, we will provide education services to your child and will use personal data where necessary to deliver these services. We will also use your personal information to invoice you for our services pursuant to the contract between you and us. We will also require a certain amount of personal information about you and your child at the pre-contract enquiry and application stage.

5.4 In addition, we are required by law to do the following (which is not an exhaustive list):

5.4.1 keep an admissions and attendance register;
5.4.2 keep pupil files (including, where relevant, additional learning needs and child protection files);
5.4.3 keep a record of behaviour sanctions; and
5.4.4 provide an annual written report on pupil progress and attainment.

5.5 Inevitably, there will be an overlap between what we do that is necessary to (a) perform our contract with you, (b) carry out our legal obligations and (c) pursue a legitimate interest although we have tried our best to demarcate these as set out above. If you have any questions about these please contact our Data Protection Co-ordinator (see paragraph 4).

Information we collect about you from our website

5.6 We will use this information for the following legitimate interests:
5.6.1 If you have made an enquiry via our online enquiry forms:  to contact you, and/or to inform you of school based services, school news and future events including our open days, events and fairs  (you may opt out of this on the enquiry form and at each subsequent communication);

If you have enrolled your child at the School, or have actively expressed an interest in the school for your child  – for example, by booking a visit, requesting a prospectus or asking for more details of what we offer, then we will send you direct marketing by post or email of own similar products or services  such as  school news and future events including our open days, events and fairs. We will only do this where you did not initially refuse the use of your details for such direct marketing,  or at the time of each subsequent communication
5.6.2 to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
5.6.3 to improve our website to ensure that content is presented in the most effective manner, and your online experience is as effective and appropriate as possible, for you and for your computer;
5.6.4 as part of our efforts to keep our website safe and secure.

Information we receive from other sources

5.7 We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for one of the purposes set out above (depending on the types of information we receive). For example, we may receive a court order relating to you which impacts on our use of your and your child’s information to protect the welfare of the child.
5.8 Also, social services or health practitioners may provide us with information (particularly sensitive personal data) about your child which may need to be added to the school’s child protection or additional learning needs file. This kind of processing of sensitive personal data may be necessary (a) for the purposes of carrying out our obligations in the field of social security or social protection law, (b) for medical diagnosis or provision of health care and/or (c) to protect the vital interests of your child or another person taking into account the mental and physical capacity of your child.
5.9 In order to achieve the purposes described in paragraph 5.8, the school may do the following:
5.9.1 keep a list of your child’s allergies or medical requirements within the classroom, kitchen or office in case of emergency. It is necessary for the school to have a list readily available to our staff so that we are able to look after your child promptly in the event of a medical emergency; and
5.9.2 rely on software applications and other technology to process medical information (such as allergies, accidents and injuries) about you and your children. For further information on the kind of technology we use, particularly in the context of processing sensitive personal data about your child, please contact our Data Protection Co-ordinator (see paragraph 4).

When we disclose information

5.10 In order to pursue one of the legitimate interests set out above, we may share your and your child’s personal information with:
5.10.1 SEDT (for Upper School pupils) See transmission of personal information outside the EEA in section 6.
5.10.2 local authorities, education authorities (for example, Estyn), the Welsh Goverment/ Department for Education, CSIW, ALN co-ordinators, social services or the police where we have reason to believe there are safeguarding concerns in respect of your child;
5.10.3 where your child is not British, we may have to provide information about you or your child to UK Visas and Immigration;
5.10.4 professional advisors, debt collector, suppliers and sub-contractors for the performance of any contract we enter into with them or you;
5.10.5 credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.
5.11 We may disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use the terms of the Registration Contract (between us and you) and other agreements. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Where we need to get your consent

5.12 We will not market services to you (other than in accordance with paragraph 5.1.8,  5.1.9 and 5.6.1 above) without your consent and you have the right to ask us not to use your contact details for marketing.
5.13 We will get your permission (on our Registration Contract) to post any photographs of your child on any of our marketing materials (including our prospectus, advertisements, website or social media). You may withdraw of change your permission by letting our Data Protection Co-ordinator (see paragraph 4) know.
5.14 You or your child do not have to give us details about your child’s religion or ethnicity if you do not want to. If you do provide us with this information, we only use these details to assist us with the day-to-day running of the school (for example, if your child’s religion means that he or she has particular dietary requirements then we will of course be much better informed if we have this information to cater to your child’s requirements) and for equal opportunities monitoring purposes.
Where you have given consent to the above, you can withdraw this consent at any time by contacting the Data Protection Coordinator (see paragraph 4).

6 Transmission of personal information outside the EEA

6.1 The data that we process about you and your child may be transferred to, and stored at, a destination outside the European Economic Area (EEA). We try to limit this where possible but it may be necessary where, for example, one of our suppliers has a data centre outside the EEA. We will take all steps reasonably necessary to ensure that your and your child’s data is treated securely and in accordance with this privacy notice and that the appropriate legal safeguards are in place prior to the transfer, for example ensuring that any contracts between us and the recipient of the information have EU-approved standard data protection clauses, or the country we are transferring the data to is deemed by the EU Commission as adequate.

For the New Zealand Certificate of Steiner Education (NZCSE) in Upper School we regularly transfer your personal information to New Zealand and SEDT who are the  educational company who manage and develop the Certificate in New Zealand and overseas. This includes use of the Tarn Group’s Bracken Platform application. Bracken requires users to create a unique user name and password that must be entered each time a user logs on. Bracken issues a session “cookie” only to record encrypted authentication information for the duration of a specific session. When required a user can access secured areas of their website which protects your information using both server authentication and data encryption, ensuring your data is safe, secure, and available only to authorised persons and are transmitted over a secure, encrypted connection.

7 Your Rights

7.1 Under the GDPR, you and your child have the following rights:
7.1.1 Right to correction. You have the right to have inaccurate personal data about you or your child rectified.
7.1.2 The right to erasure. You have the right to request that we delete your and your child’s personal data where: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or processed; (b) you withdraw your consent to processing for which we previously obtained your consent; (c) you object to the processing and, as a result, we agree to cease that processing (please see paragraph 7.1.5 for more details); (d) the personal data has been unlawfully processed; and (e) we are required to erase the personal data in order to comply with the law.
7.1.3 Right to restriction. You have the right to obtain from us the restriction of processing where: (a) you contest the accuracy of the personal data we hold about you; (b) the personal data has been unlawfully processed; (c) we no longer need the personal data but they are required in limited circumstances; and (d) you object to the processing and, as a result, we agree to cease that processing (please see paragraph 7.1.5 for more details).
7.1.4 Right to request transfer. In certain circumstances, you have the right to receive personal data from us in a structured, commonly used and machine-readable format and the right to transmit it to a third party organisation.
7.1.5 Right to object. You have the right to raise an objection to any of our processing in paragraphs 5.1 and 5.2. Please tell us if you object to any type of processing that we do and we will work with you to address any concerns you may have.
7.1.6 Right to object to marketing. If you do not want us to process your personal data for direct marketing, please tell us and we will ensure that we no longer do this.
7.1.7 Right to complain to the ICO. Whilst we would always prefer it if you approached us first about any complaints or queries you may have, you always have the right to lodge a complaint with the Information Commissioner’s Office.
7.1.8 Right to request access. You have the right to access personal data we hold about you. We encourage you to contact the school’s Data Protection Co-ordinator and request our standard SAR form for you to complete in order to help us process your request.

8 How long we keep your personal information

8.1 We will not keep any personal data about you for any longer than is necessary for the purposes for which the personal data are processed.
8.2 As a general rule, we keep your child’s education records until they reach 25 years of age at which point we destroy the file. This is regardless of whether their file has been transferred to another school, in the event that your child transfers schools.
8.3 We follow a personal data retention policy which determines how long we keep specific types of personal information for. For further information about the criteria we use to determine what periods we keep specific information, please contact our Data Protection Co-ordinator (see paragraph 4).

9 Use of our website

9.1 Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

10 Change to our privacy notice

10.1 Any changes we make to this privacy notice in the future will be posted on our website and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy notice.


Use of Cookies

What is a cookie?
A cookie is a small text file that may be placed on your device when you visit our sites. When you next visit our sites the cookie allows us to distinguish you from other users.

There are two broad categories of cookies:

  1. Persistent cookies
    Persistent cookies remain on your device until deleted manually or automatically.
  2. Session cookies
    Session cookies remain on your device until you close your browser when they are automatically deleted.

Cookies we use and why we use them

  1. Essential cookies
    Essential cookies are technical cookies that are required for the operation of our site. Without essential cookies our sites can’t operate properly. Essential cookies include, for example, cookies that enable you to log into secure areas.
  2. Performance cookies
    Performance cookies allow us to recognise and count the number of visitors to our site and to see how visitors move around them. This helps us to improve the way our sites work by enabling us to tailor our sites to the way visitors use them. The information we collect from performance cookies is aggregated which means that we cannot identify you from it.
  3. Experience cookies
    Experience cookies allow our site to remember the choices you make. Our sites use experience cookies to provide you with enhanced and personalised features. For example, we use information collected through what are known as “web-analytic” cookies to compare the choices you make to those of our other visitors so that we can learn from those choices.
    Information collected by experience cookies cannot track your browsing activity when you leave our sites to browse other sites.
  4. Marketing cookies
    Marketing cookies record your visits to our site, the pages you have visited and the links you have followed. We use this information to make our sites more relevant to your interests. Sometimes we use marketing cookies to show you adverts about the School elsewhere online such as Facebook and social media.

Your right to refuse cookies and what happens if you refuse them
You can refuse cookies by activating the relevant setting on your browser. However, if you do so you may not be able to access all or parts of our site. If you carry on using our site and do not change your browser settings we will assume you consent to us using cookies as described above.

Use of Your Information

We use the information that we collect from you to provide our services to you.  In addition to this we may use the information for one or more of the following purposes:

  1. To provide information to you that you request from us relating to our products or services.
  2. To inform you of any changes to our website, services or goods and products.

If you have enrolled your child at the School, or have actively expressed an interest in the school for your child  – for example, by booking a visit, requesting a prospectus or asking for more details of what we offer, then we will send you direct marketing by post or email of our own similar products or services  such as  school news and future events including  open days, events and fairs. We will only do this where you did not initially refuse the use of your details for such direct marketing,  or at the time of each subsequent communication

Storing Your Personal Data

In operating our website it may become necessary to transfer data that we collect from you to locations outside of the European Union for processing and storing. By providing your personal data to us, you agree to this transfer, storing or processing. We do our upmost to ensure that all reasonable steps are taken to make sure that your data is treated and stored securely.

Unfortunately the sending of information via the internet is not totally secure and on occasion such information can be intercepted. We cannot guarantee the security of data that you choose to send us electronically, sending such information is entirely at your own risk.

Disclosing Your Information

We will not disclose your personal information to any other party other than in accordance with this Privacy Policy and in the circumstances detailed below:

  1. Where we are legally required by law to disclose your personal information.
  2. To further fraud protection and reduce the risk of fraud.

Third Party Links

On occasion we include links to third parties on this website. Where we provide a link it does not mean that we endorse or approve that site’s policy towards visitor privacy. You should review their privacy policy before sending them any personal data.

Access to Information

In accordance with the Data Protection Act 1998 you have the right to access any information that we hold relating to you. Please note that we reserve the right to charge a fee of £10 to cover costs incurred by us in providing you with the information.