The Mill
Privacy Policy



PRIVACY NOTICE

This Notice is provided to you by the Mill Hill School Enterprises, the trading arm of The Mill Hill School Foundation, which includes the Senior School known as Mill Hill School, The Mount Mill Hill International, Belmont School and Grimsdell School. This Notice is intended to help you understand how and why we collect personal data about you and, where applicable, your child/ren.

1. WHAT THIS PRIVACY NOTICE IS FOR This Notice provides information about how Mill Hill School Enterprises uses personal data about individuals including: its staff, its clients and its users of the facilities. This information is provided to you because Data Protection Law gives individuals rights to understand how their data is used. Staff, clients and users of the facilities are all encouraged to read this Privacy Notice and understand Mill Hill Schools Enterprises obligations to its entire community. This Privacy Notice also applies alongside any other information that the Enterprises may provide about a particular use of personal data, for example when collecting data via an online or paper form. This Privacy Notice applies in addition to the Mill Hill School Enterprises' other relevant terms and conditions, protocols and policies, some of which fall under the Mill Hill School Foundation policies including:  Any contract between Mill Hill School Enterprises and its staff, clients or facility users.  The Mill Hill School Foundation’s CCTV and/or biometric policy/protocol;  The Mill Hill School Foundation’s retention of records policy;  The Mill Hill School Foundation’s safeguarding, pastoral and health and safety policies including as to how concerns or incidents are recorded; and  Mill Hill School Enterprises and The Mill Hill School Foundation’s IT policies, including its acceptable use policy, e-safety policy, wifi policy, remote working policy and bring your own device policy Anyone who works for, or acts on behalf of Mill Hill School Enterprises (including staff, volunteers, and service providers) should be aware of and comply with this Privacy Notice and Mill Hill School Foundation data protection policy, which Mill Hill School Enterprises adheres too and which provides further information about how personal data about individuals will be used.

2. RESPONSIBILITY FOR DATA PROTECTION The Foundation has appointed Maxine Zeltser as Compliance Manager, who will deal with all your requests and enquiries concerning the Foundation’s and Mill Hill School Enterprises uses of personal data (see section on Your Rights below) and endeavour to ensure that all personal data is processed in compliance with the Foundation’s policies and Data Protection Law. The email address for queries concerning matters arising from this Notice is compliance@millhill.org.uk.

3. WHY MILL HILL SCHOOL ENTERPRISES NEEDS TO PROCESS PERSONAL DATA In order to carry out its ordinary duties to staff, clients and facility users, the Mill Hill School Enterprises needs to process some personal data about individuals as part of its daily operations. Some of this activity by Mill Hill School Enterprises will be needed to fulfil the Mill Hill School Enterprises legal rights, duties or obligations – including those under a contract with its staff, clients or facility users. Other uses of personal data will be made in accordance with the legitimate interests of the Mill Hill School Enterprises or the legitimate interests of another, provided that such interests are not outweighed by the impact on individuals and provided it does not involve special or sensitive types of data. Mill Hill School Enterprises expects that the following uses will fall within that category of it’s (or it’s community’s) ‘legitimate interests’:  For the purposes of staff selection ( and to confirm the identity of prospective staff)  To provide induction training for the use of the gym  Maintaining relationships staff, clients and facility users, including closure notifications, direct marketing or activity directly related to the use of the school facilities run by Mill Hill School Enterprises;  For the purposes of management, planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as tax, diversity or gender pay gap analysis);  To monitor (as appropriate) use of Mill Hill School Enterprises IT and communication systems which fall under the Mill Hill School Foundation policies in accordance with the Mill Hill School Foundation Foundation’s use of email, the internet and social media policy, which can be found on The Mill Hill School Foundation Foundation’s website;  For security purposes, including biometrics and CCTV in accordance with The Foundation’s policy/protocol, which Mill Hill School Enterprises complies with;  To carry out or cooperate with any The Mill Hill School Enterprises or external complaints, disciplinary or investigation process; and  Where otherwise reasonable necessary for The Mill Hill School Enterprises' purposes, including to obtain appropriate professional advice and insurance In addition, Mill Hill School Enterprises will need to, on occasion, process special category personal data (for example, regarding health, ethnicity, religion or biometrics) or criminal records information (such as when carrying out DBS checks) in accordance with rights or duties imposed on it by law, including as regards safeguarding and employment, or from time to time by explicit consent where required. These reasons will include:  To safeguard pupils' welfare and provide appropriate pastoral (and where necessary, medical) care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual's medical condition or other relevant information where it is in the individual's interests to do so: for example for medical advice, for social protection, safeguarding, and cooperation with police or social services, for insurance purposes;  In connection with employment of its staff, for example DBS checks, welfare, union membership or pension plans;  To run any of its systems that operate on biometric data, such as for security  As part of any The Mill Hill School Enterprises, Mill Hill School Foundation or external complaints, disciplinary or investigation process that involves such data, for example if there are SEN, health or safeguarding elements; or  For legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with its legal obligations and duties of care. 

4. TYPES OF PERSONAL DATA PROCESSED BY MILL HILL SCHOOL ENTERPRISES. This will include by way of example:  names, addresses, telephone numbers, e-mail addresses and other contact details;  car details (about those who use our car parking facilities);  bank details and other financial information  personnel files, including in connection with academics, employment or safeguarding;  where appropriate, information about individuals' health and welfare, and contact details for their next of kin;  references given or received by Mill Hill School Enterprises and correspondence concerning staff.

5. HOW MILL HILL SCHOOL ENTERPRISES COLLECTS DATA Generally, Mill Hill School Enterprises receives personal data from the individual directly. This may be via a form, or simply in the ordinary course of interaction or communication (such as email or written assessments). However, in some cases personal data will be supplied by third parties (for example other professionals working with that individual); or collected from publicly available resources.

6. WHO HAS ACCESS TO PERSONAL DATA AND WHO MILL HILL SCHOOL ENTERPRISES SHARES IT WITH Occasionally, Mill Hill School Enterprises will need to share personal information relating to its community with third parties, such as:  professional advisers (e.g. lawyers, insurers, PR advisers and accountants);  government authorities (e.g. HMRC, DfE, police or the local authority); and  appropriate regulatory bodies For the most part, personal data collected by Mill Hill School Enterprises will remain within Mill Hill School Enterprises, and will be processed by appropriate individuals only in accordance with access protocols (i.e. on a ‘need to know’ basis). Particularly strict rules of access apply in the context of:  medical records held and accessed only by the Foundation’s Nurse Manager, with whom Mill Hill School Enterprises comply and appropriate medical staff under his/her supervision, or otherwise in accordance with express consent]; and  pastoral or safeguarding files. You are reminded that Mill Hill School Enterprises, due to its location within The Mill Hill School Foundation, complies with The Mill Hill School Foundation's obligations, under a duty imposed by law and statutory guidance (including Keeping Children Safe in Education), to record or report incidents and concerns that arise or are reported to it, in some cases regardless of whether they are proven, if they meet a certain threshold of seriousness in their nature or regularity. This is likely to include file notes on personnel or safeguarding files, and in some cases referrals to relevant authorities such as the LADO or police. For further information about this, please view The Mill Hill School Foundation’s Safeguard and Promote the Welfare of Children who are Pupils at the School Policy. Finally, in accordance with Data Protection Law, some of The Mill Hill School Enterprises processing activity is carried out on its behalf by third parties, such as IT systems, web developers or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the Mill Hill School Enterprise’s specific directions.

7. HOW LONG WE KEEP PERSONAL DATA Mill Hill School Enterprises will retain personal data securely and only in line with how long it is necessary to keep the data for a legitimate and lawful reason. Typically, the legal recommendation for how long to keep ordinary staff personnel files is up to 7 years following departure from Mill Hill School Enterprises. However, incident reports and safeguarding files will need to be kept much longer, in accordance with specific legal requirements. For more information, please refer to The Mill Hill School Foundation’s retention of data policy, with which Mill Hill School Enterprises complies. If you have any specific queries about how our retention of data policy is applied, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact Maxine Zeltser, compliance manager in writing by email on compliance@millhill.org.uk. However, please bear in mind that Mill Hill School Enterprises may have lawful and necessary reasons to hold on to some personal data even following such request. A limited and reasonable amount of information will be kept for archiving purposes, for example; and even where you have requested we no longer keep in touch with you, we will need to keep a record of the fact in order to fulfil your wishes (see section on Requests that cannot be fulfilled below).

8. KEEPING IN TOUCH Mill Hill School Enterprises will use the contact details of staff, clients and facility users to keep them updated about the activities of Mill Hill School Enterprises, including by sending updates and newsletters, by email and by post. Unless the relevant individual objects, Mill Hill School Enterprises will also:  Contact staff, clients and facility users by post and email in order to promote Mill Hill School Enterprises.  Should you wish to limit or object to any such use, or would like further information about them, please contact the compliance manager, Maxine Zeltser in writing by email. You always have the right to withdraw consent, where given, or otherwise object to direct marketing or communications. However, Mill Hill School Enterprises is nonetheless likely to retain some of your details (not least to ensure that no more communications are sent to that particular address, email or telephone number).

9. YOUR RIGHTS Individuals have various rights under Data Protection Law to access and understand personal data about them held by Mill Hill School Enterprises, and in some cases to ask for it to be erased or amended or have it transferred to others, or for Mill Hill School Enterprises to stop processing it – but subject to certain exemptions and limitations.  Any individual wishing to access or amend their personal data, or wishing it to be transferred to another person or organisation, or who has some other objection to how their personal data is used, should put their request in writing by email to the compliance manager, Maxine Zeltser. Mill Hill School Enterprises in consultation with The Mill Hill School Foundation will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits (which is one month in the case of requests for access to information). Mill Hill School Enterprises in consultation with The Mill Hill School Foundation will be better able to respond quickly to smaller, targeted requests for information. If the request for information is manifestly excessive or similar to previous requests, you may be asked to reconsider, or require a proportionate fee (but only where Data Protection Law allows it).  Requests that cannot be fulfilled You should be aware that the right of access is limited to your own personal data, and certain data is exempt from the right of access. This will include information which identifies other individuals, or information which is subject to legal privilege (for example legal advice given to or sought by Mill Hill School Enterprises in consultation with The Mill Hill School Foundation, or documents prepared in connection with a legal action). You may have heard of the "right to be forgotten". However, the Mill Hill School Enterprises in consultation with The Mill Hill School Foundation will sometimes have compelling reasons to refuse specific requests to amend, delete or stop processing your personal data such as, for example, to comply with a legal requirement, or where it falls within a legitimate interest identified in this Privacy Notice. All such requests will be considered on their own merits.  Consent Where the Mill Hill School Enterprises in consultation with The Mill Hill School Foundation is relying on consent as a means to process personal data, any person may withdraw this consent at any time. Examples where we do rely on consent are: for example, biometrics, certain types of uses of images and certain types of fundraising activity. Please be aware however that Mill Hill School Enterprises may not be relying on consent but have another lawful reason to process the personal data in question even without your consent. That reason will usually have been asserted under this Privacy Notice, or may otherwise exist under some form of contract or agreement with the individual (e.g. an employment, or because a purchase of goods has been requested).  Whose rights? The rights under Data Protection Law belong to the individual to whom the data relates.

10. DATA ACCURACY AND SECURITY Mill Hill School Enterprises will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible.  Individuals must please notify Mill Hill School Enterprises office of any significant changes to important information, such as contact details, held about them.   An individual has the right to request that any out-of-date, irrelevant or inaccurate or information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law); please see above for details of why Mill Hill School Enterprises may need to process your data and of who you may contact if you disagree. Mill Hill School Enterprises in consultation with The Mill Hill School Foundation will take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to The Mill Hill School Foundation systems which is used by Mill Hill School Enterprises. All staff will be made aware of these policies and their duties under Data Protection Law and receive relevant training.

11. THIS PRIVACY NOTICE Mill Hill School Enterprises in consultation with The Mill Hill School Foundation will update this Privacy Notice from time to time. Any substantial changes that affect your rights will be provided to you directly as far as is reasonably practicable.

12. QUERIES AND COMPLAINTS Any comments or queries on this Notice should be directed in writing to Maxine Zeltser, the compliance manager, by email on compliance@millhill.org.uk. If an individual believes that the Mill Hill School Enterprises has not complied with this Privacy Notice or acted otherwise than in accordance with Data Protection Law, they should utilise The Mill Hill School Foundation’s policy, with which Mill Hill School Enterprises complies, on Handling Concerns and Complaints from Parents and should also notify Maxine Zeltser in writing by email. You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter before involving the regulator.

Reviewed September 2020