The General Data Protection Regulation (the “GDPR”) came into effect on May 25th 2018 and has heightened awareness with regard to the collection, use, storage and deletion of personal data. The detail of the GDPR is somewhat complex, but the core principles are logical; (i) do not collect more information than is necessary for the purpose required, (ii) be clear and transparent about what you intend to use it for, (and obtain consent if you wish to use it outside of the core purpose for which it was collected) (iii) keep it safe, (iv) do not retain it for longer than is necessary, (v) provide the data subject with the right to access, amend and delete personal data you hold, and (vi) if passing the personal data on to a third party for processing only then do so based on a contract (usually a Data Processing Agreement). This explainer assumes that all schools have a basic level of understanding regarding what personal data is, and what it means to be a controller and/or a processor.
In the context of school group bookings, a number of concepts arise frequently, and we attempt to address these as clearly and simply as possible below. (Note: the GDPR is complex and the Topflight for Schools (“TFS”) explanations below should not be substituted for taking appropriate advice regarding your own obligations as a school).
WHAT STUDENT’S PERSONAL DATA IS REQUIRED FOR TFS SCHOOL TRIPS?
WHO IS COLLECTING THE “SCHOOL TRIP DATA SET”, IS IT TFS, THE LEAD ORGANISER OR THE SCHOOL?
There are variables, but the Participants generally do not provide data directly to TFS (save perhaps for credit card or payment information). The Participant’s data is usually collected by the lead tour organiser. TFS understands that the organiser is usually an employee of the school and would not be gathering the data otherwise than for the purposes of a “school trip”. TFS believes the safest interpretation is that as the lead organiser gathering the School Trip Data for the TFS trip, it places the school in the position of “Data Controller”. In principle this does not materially alter the school’s responsibilities, it already holds the vast majority of the data comprised in School Trip Data Set. However, this data was gathered in a different context, for different purposes, and there is some additional data (such as shoe sizes, dietary requirements, medical conditions, skiing experience etc.), which is newly gathered for the purpose of the TFS trip.
HOW SHOULD THE “SCHOOL TRIP DATA SET” BE COLLECTED AND HANDLED BY THE SCHOOL?
The data collection process is a matter for each school to decide, in conjunction with the lead organiser within each school. The ultimate requirement of TFS is that the School Trip Data Set must be inputted to the TFS management system. This is usually undertaken by the lead organiser through the TFS Portal.
Some schools collect personal data by using paper forms completed by each Participant (or their guardian), or they gather it via email or verbally, and subsequently populate spreadsheets or tables with the collected data.
Other schools and lead organisers use a “Mail Chimp” type system, where individual Participants each receive communication via email which requires them to populate specified information. When inputted, the data is populated into an online “Google Docs” type document, which is both password protected and securely hosted, and controlled by the lead organiser only. That lead organiser then extracts the data and inputs it into the TFS Portal. Although, TFS does not give guidance on data collection to the Schools, this “mail chimp” type system, would be the preferred structure.
Behaviours regarding the School Trip Data Set which TFS suggests are not appropriate, are the following;
Storing data on excel spreadsheets (password protected or not) in multiple locations, or at all;
Saving data spreadsheets on Laptops (particularly lead organiser private laptops). Student data sets should be saved on the school servers only;
Sending data, in an email or on attached spreadsheets, even if password protected. (A single incorrect email addressee is potentially a notifiable breach to the Data Protection Commission);
Any person other than a lead organiser, or a school employee, inputing the data into the TFS Portal;
If collecting data in paper form, leaving those forms in an unsecure location and thereby exposing data.
The School Trip Data Set should be treated separately by the School, i.e. it should be securely stored on the school servers, and should be subject to a separate deletion policy compared to the rest of the student data which the school holds. TFS suggests that the School Trip Data Set should be deleted within a reasonably short period of time after the trip, such as for example 6 months, unless otherwise specifically required. This allows for any accidents or claims to emerge, and the remaining data can then be deleted. There is no effect on the data which the school already holds for its own purposes, however, the School Trip Data Set will have expired as it will no longer be required.
WHAT IS THE RELATIONSHIP BETWEEN THE LEAD ORGANISER THE SCHOOL AND TFS WITH REGARD TO STUDENT DATA?
The School Trip Data Set is transmitted either by the lead organiser, or the school, to TFS. While it may appear that TFS could be a Data Processor, the TFS legal interpretation is that; (i) the school (through the lead organiser) collects the data and requires it for its own purposes with regard to the trip (i.e. the lead organiser will need to obtain contact details, medical conditions, dietary requirements etc), and (ii) the school/lead organiser is also collecting the School Trip Data Set for and at the request of TFS, in accordance with TFS’s requirements. TFS is advised that this relationship puts the School and TFS in the position of separate controllers, each having their own obligations in that regard.
WHAT SHOULD THE SCHOOL TELL THE STUDENT/GUARDIAN WHEN COLLECTING THE “SCHOOL TRIP DATA SET”?
We suggest the following wording;
You have received this information request, because you, or your dependent, have agreed to participate in a school trip organised with Topflight for Schools Limited (“TFS”). The school already holds certain personal data with regard to its students, which was gathered for the purposes previously communicated, and in accordance with the school’s Privacy Statement. This personal data is collected now for the purpose of the school trip, and is also collected in accordance with the school’s Privacy Statement. In addition, the personal data now gathered is as requested by TFS, for the purposes of the school trip, and it is shared with TFS, which also becomes a controller of the personal data. TFS, as a data controller in its own right, must comply with the GDPR with regard to your personal data, and you should read the TFS privacy statement available on its website at www.topflightforschools.ie, and note particularly the ways in which it will need to share certain details of your personal data with third parties, including hotels, airlines, coach companies, ski schools and equipment hire companies, for the purposes of the trip. Note also that your (or your dependents) participation on the trip will be evident on a list of travelling students, which will be available to all participants and visible when making the tour payment. If you wish your participation to remain confidential, please highlight that to the tour leader when submitting your data.
WHO’S RESPONSIBLE FOR YOUR PERSONAL DATA?
WHAT PERSONAL DATA DO WE COLLECT OR RECEIVE?/HOW DO WE COLLECT OR RECEIVE YOUR PERSONAL DATA?
Personal, contact, ID and payment details: Your full name and contact details (first name, middle name, last name, email address, phone number, postal address, country of residence), age, date of birth, gender, passport details and payment card details. You provide some of these details to us if you sign up to our emails, enter a competition, request a quotation/brochure, engage in online chat or book a trip with us on this website or with one of our sales consultants or when you book with a travel agent
Sensitive personal data: We may collect details relating to your health or medical conditions, including details of any accessibility requirements, allergies or other health-related requests, also we may collect details of your meal preferences which may tell us about allergies or other dietary requirements, or potentially indicate your religion or beliefs. You provide some of these details to us if you tell us about medical conditions when you book with us directly or with a travel agent.
We will not sell, share or rent this information to others in ways different from what is disclosed in this policy. We collect information from you at several different points on our website including when you make a booking, request a quotation/brochure, subscribe to our newsletter, complete a survey, engage in chat or enter a competition.
WHAT WE DO WITH YOUR PERSONAL DATA AND WHO WE SHARE IT WITH
- Manage your booking with us. We will use your information to provide you with any travel or event services that you request or purchase. This entails booking your flights, accommodations, organising tours, transportation and providing you with your tickets (on the basis of performing our contract with you) and providing you with any special assistance you require (where you give us your consent). We may share your personal data with third party suppliers we work with to provide your booking and our other services to you. We may share your information with parties such as airlines, hotels, tour operators, transport companies, excursion providers, ski related suppliers, airport authorities, insurance companies and ground handling agencies.
- Contact you with information about your bookings and support services: We will use your contact details to send you communications which relate to your booking or services you have requested. The types of information usually included would be: e-mails responding to enquiries, providing you with tickets, alerting you to changes in itineraries or responding to any complaints you have. We do these things in order to fulfil our contract with you and on the basis of our legitimate business interest of providing you with customer service. We share your personal data with third party suppliers that we use to provide services in connection with the experiences we offer to you. This might include marketing agencies and/or companies that run our marketing campaigns, IT developers, service providers and hosting providers, third parties that manage promotions or competitions, third party software companies ground agents, site analytics providers, medical service providers and credit card screening companies.
- Enable you to partake in a prize draw, competition or complete a survey: We do this to perform our contract with you or for our legitimate events of studying how customers use our services, develop them and grow our business.
- Send you marketing communications. We will use your information to contact you in order to keep you up to date with the latest news, offers, events, sales, brochures, promotions and competitions that we consider may be of interest or relevant to you. We will usually only do this when we have your consent to do so or on the basis of our legitimate interest to provide you with customer service. See 4. Marketing.
- Ensure security and protect our business interests. In certain circumstances, we use your information to ensure the security of our services, buildings, and people, including to protect against, investigate and deter fraud, unauthorised or illegal activities, systems testing, maintenance and development (on the basis of our legitimate interests to operate a safe and lawful business or where we have a legal obligation to do so).
- Comply with our legal obligations. In certain circumstances, we will need to use your information to comply with our legal obligations, for example to comply with any court orders or subpoenas (on the basis of our legitimate interests to comply with a legal obligation). We may have to share your information with other third parties (such as legal, accountants or other advisors, regulatory authorities, courts and government agencies) to enable us to enforce our legal rights, or to protect the rights, property or safety of our employees or where such disclosure may be permitted or required by law; and sometimes we have to provide ‘Advance Passenger Information’ about you to border or immigration authorities of the country of your travel destination. This would usually be the basic information contained in your passport but the laws of certain countries may require additional information. We will provide this information when we are required to do so.
- Optimise our sites and app. If you use our sites or apps, we will use your information to ensure that the content from our websites are presented in an effective manner for you and your device, to provide you with access to our site and app in a manner that is effective, convenient and optimal, and to provide you with content that is relevant to you, using site analytics and research and in certain circumstances combining that with other information we know about you (on the basis of our legitimate interests to operate and present an effective and convenient website to our website users).
- Use data analytics to improve our website, products/services, marketing, customer relationships and experiences. This is necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy).
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may contact you for marketing purposes, including to tell you more about our services, share news or tell you about promotions from time to time. You’re always in control of the emails that you receive and you can update your preferences or opt out at any time by email to firstname.lastname@example.org. Even if you’ve opted out of marketing messages, we’ll still need to contact you in relation to your bookings with us.
We will only contact you in this way if:
- You have signed up to receive marketing communications from us and have not later told us that you don’t want to hear from us.
- You have requested information from us or entered a competition or registered for a promotion and provided your details and you have not told us that you do not want to hear from us.
- You have made a booking with us and have not told us that you do not want to hear from us.
LEGAL BASIS FOR USING YOUR PERSONAL DATA:
We only process your personal data to the extent that at least one of the following applies:
- You’ve consented to the processing of your personal data for a specific purpose – for example, we process your sensitive personal data based on your consent for us to do that;
- The processing is necessary for us to perform our contract with you (eg to provide your trip) or for use to take steps at your request before we enter into the contract;
- Where we need to process your personal data to comply with a legal obligation that we’re subject to;
- Where we need to process your personal data to protect your vital interests (or somebody else’s), for example in case of a medical emergency; or
- Where the processing is necessary for the purposes of our legitimate interests or a third party’s legitimate interests.
We rely on several legitimate interests for using and sharing your personal data, including:
- Improving our products and services;
- Understanding how customers travel with us;
- Marketing and promotional activities;
- Identifying and pursuing new ways to develop and grow our business;
- Ensuring the security and safety of our staff and guests.
We use IP addresses to analyse trends, administer the site, track usage and gather broad demographic information for aggregate use.
We only share aggregated demographic information with our partners and advertisers. This is not linked to any personal information that can identify any individual person. We use a credit card processing company for all billing.
From time to time, this web site may contain links to other sites. Please be aware that Topflight for Schools is not responsible for the privacy practices of such other sites. We encourage you to be aware of this when you leave our site and to read the privacy statements of each and every web site that collects personally identifiable information. This privacy statement applies solely to information collected by Topflight for Schools.
If you subscribe to our e-mail newsletter, we ask for contact information – your name and e-mail address at minimum, with the option to provide additional information.
If you ask us to send you a printed brochure, we ask for contact information – your name and postal address at minimum, with the option to provide additional information.
SURVEYS & CONTESTS
From time-to-time our site may request information from users via surveys or competitions. Participation in these surveys or competitions is completely voluntary and you therefore have a choice whether or not to disclose this information. Information requested may include contact information (such as name and address), and demographic information (such as age range). Contact information will be used to notify the winners and award prizes. Survey information will be used to help us improve the usability of our systems.
We take every precaution to protect all information collected. Sensitive information which you submit via the website is both communicated to us and stored in a secure manner. All personal information communicated to us as part of a booking is submitted over a secure channel, protected using SSL or TLS encryption. You can confirm this by looking for the “secure site” indicator on your web browser, which typically appears as a padlock or key. For information held on file, access is restricted to only those staff that require that information to perform a specific job. All employees are kept up-to-date on our security and privacy practices. If you have any questions about the security at our website, you can e-mail email@example.com
COMMUNICATIONS RELATING TO BOOKINGS
We communicate with customers in relation to their current bookings. This communication may be by e-mail, conventional post, telephone, fax or other suitable medium. This communication is essential to the proper service of bookings and orders and must therefore take place regardless of the customer’s consent to other (non-booking-related) communication.
Except where an actual booking or other business transaction is concerned, we communicate with you only where consent is given. We track consent to e-mail and conventional post communication and you may review or revoke this consent at any time. Every edition of a newsletter offers a quick unsubscribe link.
NOTIFICATION OF CHANGES
INTERNATIONAL TRANSFERS OUTSIDE THE EEA
We will only send your data outside the European Economic Area (“EEA”) to:
- follow your instructions
- comply with a legal duty
- work with our suppliers and third parties who we use to help deliver our service
Some of our external third parties are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA.
If we do transfer information to parties outside of the EEA, we will make sure that it is given a similar degree of protection by ensuring that at least one of the following safeguards are implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
YOUR PERSONAL DATA RIGHTS
What are your rights?
We want you to feel reassured that you have control of your personal information. With this in mind, we have explained below the rights you have in relation to the personal information we hold about you:
- The right to ask us to correct any information you believe is incorrect.
- The right to ask us to not to use your information for marketing purposes
- The right to receive a copy of the personal data we hold about you or to request that we transfer this to another service provider.
- In certain circumstances, the right to ask us to stop using information about you.
- The right to lodge a complaint to the Data Protection Commissioner’s Office.
- The right to ask us to limit or cease processing or erase information we hold about you in certain circumstances.
- The right to withdraw consent that you have provided to us to use your personal information.
How can you exercise your rights?
You can exercise these rights over your data by firstname.lastname@example.org or by checking the applicable boxes on forms where we collect your information or to tell us that you don’t want to participate in marketing. You can also unsubscribe from any marketing circulation lists you are on by scrolling to the bottom of the e-mail and clicking the ‘unsubscribe’ link.
We will comply with your requests unless we have a lawful reason not to do so. We will need you to provide additional details to confirm your identity in order to process your request.
We will only keep your personal data for as long as necessary to fulfil the purpose we collected it for, including for the purpose of satisfying any legal accounting or reporting requirements.
We operate a data retention policy and look to find ways to reduce the amount of information we hold and the length of time we hold it for.
By law, we have to keep basic information about booking and our customers for six years for legal claims and tax purposes.
We do not retain any personal data beyond 3 years from the date of return unless we have received notification of a claim, in which circumstance we will retain the personal data until the matter has been concluded.
HOW TO CONTACT US
If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact email@example.com using the details set out below.
You have the right to make a complaint at any time to the relevant data protection supervisory authority for data protection issues.
The Data Protection Commissioner in Ireland is (https://www.dataprotection.ie)
The Information Commissioner in the UK is (https://ico.org.uk/)
Updated: 01 April 2019