THE BOLTON SCHOOL
FOUNDATION
Privacy Notice
Written by: Clerk & Treasurer
Date published: April 2019
Approved by: Executive
Date Approved: April 2019
Last Reviewed by: Clerk & Treasurer
Manager responsible for next Review: Clerk & Treasurer

PRIVACY NOTICE
Bolton School is an independent day school constituted as a charitable company registered under
charity number 1110703, and as a company limited by guarantee under company number 05458883.
The objects of the charity are the provision and conduct in or near Bolton of a day School and Nursery
for boys and girls.

Bolton School is required to process personal data and as such is a data controller for the purposes of
data protection legislation including the General Data Protection Regulation (EU 2016/679) (“GDPR”)
and the UK Data Protection Act 2018. In accordance with such legislation each data controller should
have, provide and maintain its own Privacy Notice and comply with the relevant legislation regarding
the handling of personal data.
The school is registered as a data controller under the legislation under the registration number
Z934173X.

This Privacy Notice is intended to cover the data processing of Bolton School Limited and its 100%
owned subsidiary, Bolton School Services Limited (BSSL), collectively referred to as the Bolton School
‘Foundation’. It is further intended to cover the data processing which Bolton School undertakes in
administrating and managing the activities of the Scott Bolton Trust.

For the avoidance of doubt, in this notice all references to the School and the Foundation’s processing
of data are intended to also include BSSL and the Scott Bolton Trust’s processing of data.

WHAT THIS PRIVACY NOTICE IS FOR
This privacy notice is intended to provide information about how the Foundation will use (or “process”)
personal data about individuals including: its current, past and prospective staff and pupils; the pupils’
parents, carers or guardians (referred to in this policy as “parents”) and its trading clients.

This information is provided in accordance with the rights of individuals under Data Protection Law to
understand how their data are used. Staff, parents, pupils and clients are all encouraged to read this
Privacy Notice and understand the Foundation’s obligations to its entire community.

This Privacy Notice applies alongside any other information the Foundation may provide about a
particular use of personal data, for example when collecting data via an online or paper form.

This Privacy Notice applies in addition to the School and the Foundation’s other relevant terms and
conditions and policies, including:

 any contract between the Foundation and its staff or the parents of pupils, or other clients;
 the Foundation’s policies and procedures on taking, storing and using images of children;
 the Foundation’s CCTV policies and procedures;
 the Foundation’s retention of records, policies, guidelines and procedures;
 the Foundation’s safeguarding, pastoral, or health and safety policies, including how
concerns or incidents are recorded;
 the Foundation’s ICT policies, including Acceptable Use policies; and
 The Foundation’s Development Office Privacy Statement.

Anyone who works for, or acts on behalf of, the Foundation (including staff, volunteers, governors and
service providers) should be aware of and comply with this Privacy Notice which provides information
about how personal data about individuals will be used.

RESPONSIBILITY FOR DATA PROTECTION
The Foundation has appointed the Clerk & Treasurer, Mrs C L Fox, to be responsible for regulatory
compliance in this area. She will deal with all your requests and enquiries concerning the
Foundation’s uses of your personal data (see section on Your Rights below) and endeavour to ensure
that all personal data is processed in compliance with this policy and Data Protection Law. She can be
contacted at CLFox@boltonschool.org or c/o Bolton School, Chorley New Road, Bolton BL1 4PA or by
telephoning 01204 434715.

KEY TERMS
“Data controllers” means organisations, including independent schools, which determine how
people’s personal data is processed and for what purpose.

“Data Subjects” means any living individuals whose data the Data Controller processes.

“Processing” means any action in relation to that personal data, including filing and communication.

“Personal Data” includes everything from which a Data Subject can be identified. It ranges from simple
contact details via personnel or pupil files to safeguarding information, and encompasses opinions, file
notes or minutes, a record of anyone’s intentions towards that person, and communications (such as
emails) with or about them.

Some categories of Personal Data are “special category data”. These comprise data revealing racial or
ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; data
concerning health or data concerning a natural person’s sex life or sexual orientation; and biometric
data. Extra safeguards are provided by law for processing of such data.

KEY REQUIREMENTS OF THE GDPR
GDPR determines the six most important legal requirements for a Privacy Notice to be:

(a) the identity and the contact details of the data controller (the Bolton School Foundation);
(b) details of any relevant person at the School to contact;
(c) the purposes and legal basis for any processing at the School and wider Foundation;
(d) a list of legitimate interests, where relied on;
(e) anyone the data is passed onto, even in general terms; and
(f) whether the data leaves the European Union (for example because of cloud storage).

WHY THE FOUNDATION NEEDS TO PROCESS PERSONAL DATA
In order to carry out its ordinary duties to staff, pupils, parents and clients, the Foundation needs to
process a wide range of personal data about individuals (including current, past and prospective
staff, pupils or parents) as part of its daily operation.

Some of this activity the Foundation will need to carry out in order to fulfil its legal rights, duties or
obligations – including those under a contract with its staff, or parents of its pupils, or clients.
Other uses of personal data will be made in accordance with the Foundation’s legitimate interests, or
the legitimate interests of another, provided that these are not outweighed by the impact on
individuals, and provided it does not involve special or sensitive types of data.

The Foundation expects that the following uses will fall within that category of its (or its community’s)
“legitimate interests”:

 For the purposes of pupil selection (and to confirm the identity of prospective pupils and their
parents);
 To provide education services, including musical education, physical training or spiritual
development, career services, and extra-curricular activities to pupils, and to monitor the
pupils’ progress and educational needs;
 For the purposes of keeping in touch with parents, alumni and other members of the school
community to keep them updated about the activities of the Foundation, including by sending
updates and newsletters, by email and by post;
 To maintain relationships with alumni and the School and wider Foundation community,
including direct marketing or fundraising activity;
 For the purposes of donor due diligence, and to confirm the identity of prospective donors and
their background and relevant interests;
 For the purposes of management planning and forecasting, research and statistical analysis,
including that imposed or provided for by law (such as tax, diversity or gender pay gap
analysis);
 To enable relevant authorities to monitor the School’s performance and to intervene or assist
with incidents as appropriate;
 To enable staff recruitment, staff performance monitoring and the giving and receiving of
references for past, current and prospective new members of staff;
 To give and receive information and references about past, current and prospective pupils,
including relating to outstanding fees or payment history, to/from any educational institution
that the pupil attended or where it is proposed they attend; and to provide references to
potential employers of past pupils;
 To enable pupils to take part in national or other assessments, including cognitive ability
testing, and to publish the results of public examinations or other achievements of pupils of
the School;
 To safeguard pupils’ welfare and provide appropriate pastoral care;
 To monitor (as appropriate) use of the Foundation’s IT and communications systems in
accordance with the Foundation’s IT: acceptable use policy;
 To make use of photographic images of pupils in School publications, including emailed
newsletters, on the School website and (where appropriate) on the School’s social media
channels in accordance with the Foundation’s policy on taking, storing and using images of
children;
 For security and safeguarding purposes, including biometrics and CCTV in accordance with the
Foundation’s relevant policies;
 To carry out or cooperate with any school or external complaints, disciplinary or investigation
processes;
 For safeguarding purposes and to reassure parents, using a CCTV camera system in the
Nursery; and
 Where otherwise reasonably necessary for any of the Foundation’s purposes, including to
obtain appropriate professional advice and insurances.

In addition, the Foundation will on occasion need to process special category personal data
(concerning health, ethnicity, religion, biometrics or sexual life) or criminal records information (such
as when carrying out DBS checks) in accordance with rights or duties imposed on it by law, including
as regards safeguarding and employment, or from time to time by explicit consent where required.

These reasons will include:

 To safeguard pupils’ and staff welfare and provide appropriate pastoral (and where necessary,
medical) care, and to take appropriate action in the event of an emergency, incident or
accident, including by disclosing details of an individual’s medical condition or other relevant
information where it is in the individual’s interests to do so: for example for medical advice,
for social protection, safeguarding, and cooperation with police or social services, for
insurance purposes or to caterers or organisers of Foundation trips who need to be made
aware of dietary or medical needs;
 To provide educational services in the context of any special educational needs of a pupil;
 To provide spiritual education in the context of any religious beliefs;
 In connection with employment of its staff, for example DBS checks, welfare, union
membership or pension plans;
 To run any of its systems that operate on biometric data, such as for security and other forms
of pupil or staff identification (lockers, lunch etc.);
 As part of any Foundation or external complaints, disciplinary or investigation process that
involves such data, for example if there are SEN, health or safeguarding elements; or
 For legal and regulatory purposes (for example child protection, diversity monitoring and
health and safety) and to comply with its legal obligations and duties of care.

LEGITIMATE INTERESTS
Legitimate interests, and not consent, will be the primary legal condition the Foundation relies on for
processing most pupil and alumni data. It will also be highly likely to apply to other types of personal
data (staff and parent) processed by schools, although where the Foundation has a direct contract with
an individual (e.g. an employee, client, contractor or parent) then there may also be a contractual basis
to process that individual’s data.

However, neither contractual grounds nor legitimate interests will be sufficient to process sensitive or
“special category” personal data. This will usually require explicit consent to process, except where the
Foundation is acting under a statutory right or obligation (e.g. concerning employment or
safeguarding) or if particular rare and urgent grounds exist (e.g. preventing or detecting a crime,
working with social services, or acting to protect someone’s vital interests to protect them from
imminent harm).

WHEN THE BOLTON SCHOOL FOUNDATION WILL SEEK TO OBTAIN CONSENT
(i) Direct Marketing: this includes communications promoting the “aims and ideals” of the
Foundation as well as communications about fundraising, with strict consent rules where it is
sent by electronic means (e.g. email or SMS) or if the Foundation wants to make marketing
calls to parents or alumni.
(ii) Examination Results: The school will separately inform pupils and parents (and provide an
opportunity to raise any objections) where it intends to publish exam results other than on an
anonymous basis (e.g. if released to the media or on a publicly accessible notice board).
(iii) Monitoring emails, internet and telephone usage: Strict rules apply to monitoring of pupil
internet use, emails and calls (except where this is done on an anonymous basis, e.g. to
monitor email or internet traffic within the school as a whole). Although KCSIE prescribes that
Schools have in place appropriate filtering and monitoring for the purpose of safeguarding,
this will not be used as a basis to allow casual or routine interception of communications,
notably calls and messaging. However, monitoring may become justifiable in certain
circumstances in compliance with KCSIE.
(iv) Using certain types of Special Category Personal Data: the school will seek explicit consent to
hold and use biometric data.
(v) Unexpected or intrusive uses of images of pupils: certain uses, such as CCTV or school
photography for use in the Foundation’s own “community” media (e.g. its publications,
including emailed newsletters and the intranet), including where individuals are clearly
identifiable from the photograph, and sometimes named, are considered to be part of the
contractual and legitimate interest of the Foundation. However, should an individual not wish
to be included in such usage, they should make this known to the Foundation and those
wishes will be respected.
Sometimes, external media usage may be better dealt with by consent: especially where a
child is identified by name or especially prominently featured, or in swimming or games
clothes. Please remember that, once given, consent may be withdrawn at any time.
If you wish to make any representation to the Foundation about how your data, including
images, are used, please contact the Clerk & Treasurer at CLFox@boltonschool.org or c/o
Bolton School, Chorley New Road, Bolton BL1 4PA or by telephoning 01204 434715.

TYPES OF PERSONAL DATA PROCESSED BY THE BOLTON SCHOOL FOUNDATION
This will include by way of example:

 names, addresses, telephone numbers, e-mail addresses and other contact details;
 car details;
 biometric information;
 bank details and other financial information, e.g. about parents who pay fees to the School;
 past, present and prospective pupils’ academic, disciplinary, admissions and attendance
records (including information about any special needs), and examination scripts and marks;
 personnel files, including in connection with academics, employment or safeguarding;
 where appropriate, information about individuals’ health and welfare, and contact details for
their next of kin;
 references given or received by the Foundation about pupils or staff, and relevant information
provided by previous educational establishments and/or other professionals or organisations
working with pupils or staff;
 correspondence with and concerning staff, pupils and parents past and present;
 images of pupils (and occasionally other individuals) engaging in Foundation activities, and
images captured by the Foundation’s CCTV camera systems (in accordance with the
Foundation’s policy on taking, storing and using images of children);
 A pupil photograph will be used in the School Management System and on their Identity Card,
and
 Alumni data as detailed in the Development Office Privacy Statement.

HOW THE BOLTON SCHOOL FOUNDATION COLLECTS DATA
Generally, the Foundation receives personal data from the individual directly (including, in the case of
pupils, from their parents). This may be via a form, or simply in the ordinary course of interaction or
communication (such as email or written assessments).

However in some cases personal data will be supplied by third parties (for example another School, or
other professionals or authorities working with that individual); or collected from publicly available
resources.

WHO HAS ACCESS TO PERSONAL DATA AND WHO THE FOUNDATION SHARES IT WITH
Occasionally, the Foundation will need to share personal information relating to its community with
third parties, such as professional advisers (lawyers, insurers, PR advisers and accountants) or relevant
authorities (HMRC, DfE, police or the local authority) or appropriate regulatory bodies (e.g. the ISI, the
Charities Commission or the Information Commissioner’s Office (ICO)) or relevant agencies (such as
external data analysis organisations for the purposes of analysing examination results or cognitive
ability testing).

For the most part, personal data collected by the Foundation will remain within the Foundation, and
will be processed by appropriate individuals only in accordance with access protocols (i.e. on a ‘need
to know’ basis). Appropriate individuals may include pupils and other volunteers performing the
Foundation’s legitimate business, for example when pupils volunteer in the library or help out in the
lower schools. Particularly strict rules of access apply in the context of:
 medical records and
 pastoral or safeguarding files.

However, a certain amount of any SEN pupil’s relevant information will need to be provided to staff
more widely in the context of providing the necessary care and education that the pupil requires.

Staff, pupils and parents are reminded that the Foundation is under duties imposed by law and
statutory guidance (including Keeping Children Safe in Education) to record or report incidents and
concerns that arise or are reported to it, in some cases regardless of whether they are proven, if they
meet a certain threshold of seriousness in their nature or regularity. This is likely to include file notes
on personnel or pupils, including the express wishes of the child and any court orders which may be in
place and in some cases referrals to relevant authorities such as the LADO or police. For further
information about this, please view the Foundation’s Safeguarding Policy.

Finally, in accordance with Data Protection Law, some of the Foundation’s processing activity is carried
out on its behalf by third parties, such as mailing houses, IT systems, web developers or cloud storage
providers. This is always subject to contractual assurances that personal data will be kept securely and
only in accordance with the Foundation’s specific directions.

DATA PROCESSING REGARDING EXTERNAL EXAMINATIONS
Examination results, outcomes of reviews of marking, reviews of moderation and appeals may be
shared within an examination consortium where such exists and may be retained according to their
policies. External examination results will be shared with external data analysis organisations for the
purposes of results analysis. Where malpractice is suspected or alleged then personal data may be
shared with other awarding bodies, the qualifications regulator or professional bodies in accordance
with JCQ policies, procedures and ‘Information for Candidates – Privacy Notice’. Information or
evidence provided to support a request for special consideration may be shared with the relevant
awarding body, will be retained in school and may be used to support any application to a further
institution. Examination related data will be processed, retained and shared with educational bodies
where necessary in order to provide an audit trail of the results certificated and to maintain an accurate
record of an individual’s achievements.

HOW LONG WE KEEP PERSONAL DATA
The GDPR does not fundamentally change the principles for length of document retention – it is
still a question of relevance and purpose, as well as data security.

It does, however, have stricter rules about use and storage of personal data generally with the
practical effect of requiring more dynamic, efficient and secure storage systems.
Bolton School Foundation will retain personal data securely and only in line with how long it is
necessary to keep for a legitimate and lawful reason.

A limited and reasonable amount of information will be kept for archiving purposes, for example; and
even where you have requested we no longer keep in touch with you, we will need to keep a record
of the fact in order to fulfil your wishes (called a “suppression record”).

If you have any specific queries about how our retention decisions are applied, or about the
Foundation’s guidelines for the retention of data or wish to request that personal data that you no
longer believe to be relevant is considered for erasure, please contact the Clerk & Treasurer at
CLFox@boltonschool.org or c/o Bolton School, Chorley New Road, Bolton BL1 4PA or by telephoning
01204 434715. However, please bear in mind that the Foundation will often have lawful and
necessary reasons to hold on to some personal data even following such request.

KEEPING IN TOUCH AND SUPPORTING THE FOUNDATION
The Foundation will use the contact details of parents, alumni and other members of the school
community to keep them updated about the activities of the Foundation, or alumni and parent events
of interest, including by sending updates and newsletters, by email and by post. Unless the relevant
individual objects, the Foundation will also:

 Share personal data about parents and/or alumni, as appropriate, with organisations set up to
help establish and maintain relationships with the school community, such as the parent/staff
associations and alumni associations;

 Contact parents and/or alumni by post and email in order to promote and raise funds for the
school and, where appropriate, other worthy causes;

 Collect information from publicly available sources about parents’ and former pupils’
occupation and activities, in order to maximise the school’s fundraising potential;

 Use personal data to develop and deliver a range of alumni services.
Should you wish to limit or object to any such use, or would like further information about them, please
contact the Clerk & Treasurer in writing. You always have the right to withdraw consent, where given,
or otherwise object to direct marketing or fundraising. However, the Foundation is nonetheless likely
to retain some of your details (not least to ensure that no more communications are sent to that
particular address, email or telephone number).

YOUR RIGHTS
 Rights of access.
Individuals have various rights under Data Protection Law to access and understand personal data
about them held by the Foundation, and in some cases ask for it to be erased or amended or have it
transferred to others, or for the Foundation to stop processing it – but subject to certain exemptions
and limitations.

Any individual wishing to access or amend their personal data, or wishing it to be transferred to
another person or organisation, or who has some other objection to how their personal data is used,
should put their request in writing to the Clerk & Treasurer.

The Foundation will endeavour to respond to any such written requests as soon as is reasonably
practicable and in any event within statutory time-limits (which is one month in the case of requests
for access to information).

The Foundation will be better able to respond quickly to smaller, targeted requests for information. If
the request for information is manifestly excessive or similar to previous requests, the Foundation may
ask you to reconsider, or require a proportionate fee (but only where Data Protection Law allows it).

 Requests that cannot be fulfilled
You should be aware that the right of access is limited to your own personal data, and certain data is
exempt from the right of access. This will include information which identifies other individuals (and
parents need to be aware this may include their own children, in certain limited situations – please see
further below), or information which is subject to legal privilege (for example legal advice given to or
sought by the Foundation, or documents prepared in connection with a legal action).

The school is also not required to disclose any pupil examination scripts (or other information
consisting solely of pupil test answers), provide examination or other test marks ahead of any ordinary
publication, nor share any confidential reference given by the Foundation itself for the purposes of the
education, training or employment of any individual.

Despite the “right to be forgotten”, the school will sometimes have compelling reasons to refuse
specific requests to amend, delete or stop processing personal data: for example, a legal requirement,
or where it falls within a legitimate interest identified in this Privacy Notice. All such requests will be
considered on their own merits.

 Pupil requests
Pupils can make subject access requests for their own personal data, provided that, in the reasonable
opinion of the school, they have sufficient maturity to understand the request they are making. A pupil
of any age may ask a parent or other representative to make a subject access request on his/her behalf.

Indeed, while a person with parental responsibility will generally be entitled to make a subject access
request on behalf of younger pupils, the law still considers the information in question to be the child’s:
for older pupils, the parent making the request may need to evidence their child’s authority for the
specific request.

Pupils at Senior School are generally assumed to have this level of maturity, although this will depend
on both the child and the personal data requested, including any relevant circumstances at home.
Slightly younger children may, however, also be sufficiently mature to have a say in this decision,
depending on the child and the circumstances.

 Parental requests, etc.
It should be clearly understood that the rules on subject access are not the sole basis on which
information requests are handled. Parents may not have a statutory right to information, but they and
others will often have a legitimate interest or expectation in receiving certain information about pupils
without their consent. The School may consider there are lawful grounds for sharing with or without
reference to that pupil.

Parents will in general receive educational and pastoral updates about their children, in accordance
with the Parent Contract. Where parents are separated, the School will in most cases aim to provide
the same information to each person with parental responsibility, but may need to factor in all the
circumstances including the express wishes of the child.
All information requests from, on behalf of, or concerning pupils – whether made under subject access
or simply as an incidental request – will therefore be considered on a case by case basis.

 Consent
Where the Foundation is relying on consent as a means to process personal data, any person may
withdraw this consent at any time (subject to similar age considerations as above). Examples where
we do rely on consent are certain types of uses of images and certain types of fundraising activity.
Please be aware however that the Foundation may not be relying on consent but have another lawful
reason to process the personal data in question even without consent.
That reason will usually have been asserted under this Privacy Notice, or may otherwise exist under
some form of contract or agreement with the individual (e.g. an employment or parent contract, or
because a purchase of goods, services or membership of an organisation such as an alumni or parents’
association has been requested).

 Whose rights?
The rights under Data Protection Law belong to the individual to whom the data relates. However, the
Foundation will often rely on parental authority or notice for the necessary ways it processes personal
data relating to pupils – for example, under the parent contract, or via a form. Parents and pupils
should be aware that this is not necessarily the same as the school relying on strict consent.

Where consent is required, it may in some cases be necessary or appropriate – given the nature of the
processing in question, and the pupil’s age and understanding – to seek the pupil’s consent. Parents
should be aware that in such situations they may not be consulted, depending on the interests of the
child, the parents’ rights at law or under their contract, and all the circumstances.

Parents also have a right to contract legally with the Foundation in respect of their child’s care and
education. A parent may therefore have certain contractual and “duty of care” rights concerning how
information about their child is used, and their right to receive it. This might range from routine
updates (e.g. a school report), or because a parent’s legitimate interests are engaged in a particular
instance. While this can be difficult in situations where parents are separated, for example, as a
principle of family law each parent is entitled to the same information unless there is some specific
court order or child protection provision to the contrary.

In general, the Foundation will assume that pupils’ consent is not required for ordinary disclosure of
their personal data to their parents, e.g. for the purposes of keeping parents informed about the pupil’s
activities, progress and behaviour, and in the interests of the pupil’s welfare. That is unless, in the
Foundation’s opinion, there is a good reason to do otherwise.

However, where a pupil seeks to raise concerns confidentially with a member of staff, e.g. a school
nurse and expressly withholds their agreement to their personal data being disclosed to their parents,
the school may be under an obligation to maintain confidentiality unless, in the school’s opinion, there
is a good reason to do otherwise; for example where the school believes disclosure will be in the best
interests of the pupil or other pupils, or if required by law.

Pupils are required to respect the personal data and privacy of others, and to comply with the
Foundation’s relevant policies, e.g. the ICT acceptable use policy and the school rules. Staff are under
professional duties to do the same covered under the relevant staff policy.

DATA ACCURACY AND SECURITY
The Foundation will endeavour to ensure that all personal data held in relation to an individual is as
up to date and accurate as possible.

Individuals must notify an appropriate person within the Foundation of any significant changes to
important information, such as contact details, held about them. In the case of children attending the
School or Nursery, the appropriate person would be the child’s Head teacher or the Nursery
Manager, as applicable, for educational/ pastoral issues and the Clerk and Treasurer for financial
issues. In the case of staff, the appropriate person would be their Line Manager. Former pupils
should notify the Development Office.

An individual has the right to request that any out-of-date, irrelevant or inaccurate information about
them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law).

The Foundation will take appropriate technical and organisational steps to ensure the security of
personal data about individuals, including policies around use of technology and devices, and access
to the Foundation’s systems. All staff and governors will be made aware of this privacy notice detailing
their duties under Data Protection Law and will receive training as required.

REPORTING DATA BREACHES
Should a security incident take place, the Foundation will quickly establish whether a personal data
breach has occurred and, if so, promptly take steps to address it, including telling the Information
Commissioner’s Office (ICO) if required.

A personal data breach can be broadly defined as a security incident which has affected the
confidentiality, integrity or availability of personal data. In short, there will be a personal data breach
whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data
or passes it on without proper authorisation; or if the data is made unavailable and this unavailability
has a significant negative effect on individuals. It can include a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
data and can be the result of both accidental and deliberate causes. It is more than just about losing
personal data. Breaches should be reported to the ICO if they will result in discrimination, damage to
reputation, financial loss, loss of confidentiality or any other significant economic or social
disadvantage. Such matters may separately require to be reported to the Charity Commission.

PUBLICATION AND PROVISION OF THE PRIVACY NOTICE
The school will make the Privacy Notice directly available to new parents and to prospective
parents/pupils when they apply for a place at the school.

The Privacy Notice will be drawn to the attention of present pupils directly, for example within the
school rules or pupil handbook. For school leavers, it will be important to remind them of the current
Privacy Notice while collecting any relevant consents to stay in touch with them as alumni.

New staff should be provided with a copy of the Privacy Notice when joining, either as part of the offer
of employment and/or with the employee handbook. For new applicants for jobs it is sufficient to
provide a link to the relevant page of the website, although if applications are made online or via a
written form then this should contain some explanation of what CVs and other information will be
used for and how long the Foundation will keep them.

Current parents, staff, governors and new governors will be provided directly with a copy of this
Privacy Notice.

If the Foundation wishes to keep a CV on file for a time in case a suitable role comes up in the future,
this option should be provided to the applicant (which may be opt in or out) along with an indication
of how long it will be kept on file.

An up-to-date version of the Privacy Notice will be made available on the Foundation’s websites, which
will be reviewed and updated annually. Any substantial amends to the Privacy Notice will be provided
directly to those affected within one month of starting processing.

THIS PRIVACY NOTICE
The Foundation will update this Privacy Notice from time to time. Any substantial changes that affect
your rights will be provided to you directly as far as is reasonably practicable.
Note that independent schools are not subject to the specific information provisions (including the
parental right to see the pupil record, and Freedom of Information) that is applicable to maintained
schools under separate legislation.

QUERIES AND COMPLAINTS
Any comments or queries on this privacy notice should be directed to the Clerk & Treasurer who can
be contacted at CLFox@boltonschool.org or c/o Bolton School, Chorley New Road, Bolton BL1 4PA or
by telephoning 01204 434715.

If an individual believes that the Foundation has not complied with this policy or acted otherwise than
in accordance with Data Protection Law, they should utilise the Foundation complaints / grievance
procedure and should also notify the Clerk & Treasurer. You can also make a referral to or lodge a
complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps
are taken to resolve the matter with the Foundation before involving the regulator