0 Shortlist Search
Enter your keyword, course, subject or interest
EC Default Banner

Student Direct Enrolment for Schools

This applies to Pupils enrolling directly with Edinburgh College for courses they will complete whilst still at School (Schools College Partnership).

Please see the Student Enrolment Privacy Notice for all other Students enrolled at the College.

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk.

Why are we collecting it, and what are we doing with it (Purpose)?

  • To enrol you on your course and add you to our college system, although you are still enrolled at your school, the College needs to know who will be on the course and collect certain details from you. Where the College is the awarding body for your course, we will also use your information for certification (to award you the qualification you are studying for).
  • To support teaching and learning, this may involve monitoring how well you are doing on your course through assessments and examinations; providing you with access to learning and teaching tools (including online tools); enabling you to communicate with staff and fellow pupils; seeking your feedback; dealing with any issues or complaints; and telling you about events related to your learning.
  • To meet our duty of care to you and other legal obligations – including health and safety and safeguarding laws; to ensure reasonable adjustments are in place where you have declared you have a disability; to protect your vital interests or someone else’s, e.g. in a medical emergency; to monitor equality of opportunity and eliminate unlawful discrimination under the UK Equality Act 2010.
  • For public safety and the prevention and detection of crime, we use CCTV on our campuses; we monitor the use of IT facilities; and we apply security and welfare measures to ensure the safety and security of students and the wider College community in accordance with health and safety and other relevant laws.
  • To analyse student applications for business, planning and equal opportunities purposes, the college analyses student applications, including by key protected characteristic groups (including age, disability, gender reassignment, race, religion or belief, gender, and sexual orientation), to plan and improve its services and curriculum offering. Analysing applications by key protected characteristic groups is part of the college’s responsibilities under the Public Sector Equality Duty, as set out in the Equality Act 2010. This information (where you choose to supply it) will not be used in any selection or allocation process.
  • To meet our responsibilities in relation to your school and local authority, the Scottish Government and Skills Development Scotland, we will share basic information with your School and local authority (for example, City of Edinburgh Council, Midlothian and East Lothian councils) and with relevant Scottish Government bodies
  • To promote the college, we may take photographs, other images and recordings of students for possible use in our publicity and promotional material in print and online on our websites and social media. We may also inform you about college services, college events, or other direct marketing purposes.
  • For statistical purposes. When the College is the awarding body, we collect data on enrolments for each award, withdrawals, achievements, and certifications. This data was then collated and included in our Self-Evaluation for the Scottish Credit Quality Framework (SCQF). No personal data is shared with SCQF.

What personal data do we collect?

Personal data is information that identifies you and relates to your life (whether that’s your home life, education, business, or job). Some of your personal data (like your health information, religion, or ethnicity) is more sensitive – this is called “special category data”. 

Personal data

  • Name, address, telephone number, email address
  • Date of birth
  • Nationality
  • Next of kin and emergency contact details
  • School year at start of next academic session (i.e. S4, S5 or S6)
  • Course and units of study (including previous courses of study)
  • Assessment information related to your course, including assessment and exam dates and results
  • Appeals and complaints information
  • Attendance data
  • Your unique student ID
  • If you are a carer or have caring responsibilities
  • Care experienced/looked after background status (if applicable)
  • First/preferred language
  • Evidence to support Alternative Assessment Arrangements (including examinations).
  • Your IP Address (your unique online identifier when browsing the internet).
  • Photo/video footage of you (where relevant)

Special category data (only where you provide this, or it is required by law)

  • Gender (and gender identity)
  • Sexual orientation
  • Religion or religious denomination
  • Ethnicity
  • Disability and health data (including mental health); additional support needs information
  • Medical information and medication administration information
  • Special interest group status (e.g. asylum seeker; refugee; stateless person; person with profound or complex needs).

How are we collecting this information? What is the source?

We collect most information directly from you through the college’s Direct Enrolment application form, or it is created whilst you study with us, e.g., attendance and results information. We may also receive relevant information about you from your School/Local Authority.

The lawful basis for the processing

For everything we do with personal data, we are required to identify a ‘lawful basis’; these are listed in the UK General Data Protection Regulation (UK GDPR)

To enrol you and use your personal data whilst you are on your course, the lawful basis is UK GDPR Article 6(1)(e) “Public Task” or for certain circumstances 6(1)(c) “Legal Obligation”.

Where your special category personal data is processed, the lawful basis is UK GDPR Article 9(2)(g) “Substantial Public Interest”, on the basis of law, alongside a condition from Schedule 1, part 2 of the Data Protection Act 2018, in this case section 6 “Statutory etc and government purposes”.

We may also use your personal information where we need to protect your or someone else’s vital interests (e.g., if you are unwell and an ambulance is required, or if we have a safeguarding concern about a student). In this case, UK GDPR Article 6(1)(d) “Vital interests” would apply.

Where you have provided permission for use of image/footage of you, or where we’ve asked you if you’re interested in receiving direct marketing, the lawful basis is UK GDPR 6(1)(a) “Consent”. You can withdraw your consent for this at any time by contacting: marketingteam@edinburghcollege.ac.uk.

Who we share the information with

  • Your local authority and/or school (for example: City of Edinburgh Council, Midlothian Council, East Lothian Council). This is provided through a secure ‘schools tracker’.
  • The government or its agencies, including statutory returns to the Scottish Funding Council (SFC), student/pupil outcomes data to Scottish Government Insight (where the College is the awarding body), and other official bodies, to submit statistical returns.
  • Emergency services (fire, police, ambulance) or a health or social care professional to protect your vital interests or someone else’s, e.g., in a medical emergency or safeguarding concern.
  • The Police or another law enforcement agency, where necessary for law enforcement.
  • With Local Authority Social Care teams or other ‘Corporate Parents’ where our Corporate Parenting responsibilities require us to support the wellbeing of children and young people, who enrol at Edinburgh College and who are Looked After, Care Experienced and/or Care Leavers. Please note that local authorities may nominate other organisations and services to fulfil Corporate Parenting duties on their behalf (e.g., Barnardos, Dean & Cauvin, supported accommodation services), and Edinburgh College will share information accordingly.
  • To third parties we have appointed to work for us, e.g., online learning platform (Moodle), and plagiarism detection systems (Turnitin).

Where sharing is not for reasons listed or a legal obligation, we will share your personal information only with your consent. If you are under 16, we may share your personal information with a parent or guardian.

How long do we hold the personal data? 

Personal data will remain on the college’s Student Record System in line with the college’s retention schedule; most student records are retained 6 years from the end of your enrolment

Where the College is the awarding body for your course, a more minimal (less information) core record may be retained for the working life of a student, i.e., end of enrolment plus 55 years.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights; some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice), right of access, right of rectification, right of erasure (commonly known as the right to be forgotten), right to restrict processing, right to object, right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing, and the College would be required to process your request within one month.

The rights that apply to this particular processing are:

  • Right to be Informed – i.e. a privacy notice.
  • Right of Access – this means you have the right to access your personal information.
  • Right to Rectification – this means you have the right to correct inaccurate or incomplete personal information.
  • Right to Erasure – commonly known as the Right to be Forgotten (RTBF) – this means you can request that your personal data be deleted.
  • Right to Data Portability – this means you have the right to request your information in a machine-readable format (e.g. a .csv file) to be provided to you or transferred in that format to another organisation.
  • Right to Restriction – this means you can restrict the processing of your information and links with some of the other rights.
  • Right to Object – this means you can object to how your data is used.
  • Right to be informed of automated individual decision-making (including profiling) – we do not use this for OH purposes, and therefore this does not apply.

Some of the rights above have caveats and only apply in certain circumstances. You can exercise your rights at any time, and the College would be required to answer within a month upon receipt of your request. If you wish to exercise your rights or have any queries in relation to this, please contact the Data Protection Team at DataProtection@edinburghcollege.ac.uk.

Complaints to the UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance, please contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk. If you are not satisfied with the outcome, then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO guides on the ICO website.

You can email them at casework@ico.org.uk, call them on 0303-123-113, or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF