Terms & Privacy

Full Privacy Notice and Terms

1. Who we are
2. Who to contact
3. What we do with your data
4. Why the School needs to process personal data
5. Types of personal data we process
6. Where we collect information about you from
7. When you give it to us directly
8. When you give it to us indirectly
9. When you give permission to other organisations to share or it is available publicly
10. Third party organisations
11. Social Media
12. Information available publicly
13. When we collect it as you use our websites
14. CCTV
15. Who helps us process your data
16. How we store your data
17. How long we keep personal data
18. Keeping in touch and supporting the School
19. Your Rights
20. Rights of access
21. Requests that cannot be fulfilled
22. Pupil requests
23. Parental requests
24. Complaints
25. Consent
26. Whose rights?
27. Data Accuracy and Security
28. Direct Marketing
29. Photographs
30. Pupil Data
31. Sharing your story
32. Your right to know what we know about you, make changes or ask us to stop using your data
33. Building profiles of supporters and targeting communications
34. International Transfers of Personal Data
35. Changes to this Notice
36. Legitimate Interests
37. Legal Underpinning of this Privacy Notice
38. Specific Information
39. Accidents and Incidents
40. Admissions
41. Agents
42. Applications & Enquiries
43. Bursaries
44. Archives
45. Current and Former Parents and Guardians
46. Wealth Screening
47. Current Pupils
48. Activities / Trips / Visits
49. Display and Storage of Pupils Work
50. Chapel
51. Duke of Edinburgh s Award
52. Medical Records
53. Special Educational Needs (SEN)
54. Public Examination Results
55. Youth Support Services
56. Debtors
57. Due Diligence
58. EYFS
59. Email
60. Events
61. Food and Drink
62. Gifts
63. IT
64. Lettings
65. Old Dunelmians (ODs / Alumni / Former Pupils)
66. Sales
67. Scholarships
68. Self Employed Staff
69. Staff & PGCE Students
70. Suppliers of Goods and Services
71. Training
72. Volunteers
73. Governors
74. Trustees of other School bodies
75. Visitor Parking and Site Access
76. Visitor Passes

Who we are

For the purposes of this policy Durham Cathedral Schools Foundation ( The School , we ) refers to any organisation which is part of the Durham Cathedral Schools Foundation Community and includes Durham School, Choristers School, Durham School Trading Ltd, The Langley Foundation, The Burkitt Trust, Durham School Boat Club, other officially recognised Durham Cathedral Schools Foundation Sports Clubs, The Friends of DCSF and The Old Dunelmian Society.

This notice is designed to conform to the General Data Protection Regulation (EU 2016/679) and the UK General Data Protection Act 2018. We will refer to this as Data Protection Law.

Who to contact / DPO

Durham Cathedral Schools Foundation has appointed a Data Protection Officer (DPO) in accordance with Articles 37–39 of the UK General Data Protection Regulation.

The DPO is responsible for overseeing compliance with data protection law, advising the School on its obligations, and acting as a point of contact for individuals and for the Information Commissioner’s Office (ICO).

From 31 March 2025, the School’s Data Protection Officer is:

Mr Andrew Beales
Development Director and Data Protection Officer
Durham Cathedral Schools Foundation
Quarryheads Lane
Durham City
DH1 4SZ

📧 a.beales@dcsf.org.uk
📞 0191 731 9270

The DPO operates independently and reports to the senior leadership of the Foundation. Individuals may contact the DPO directly with any questions, concerns, or requests relating to the processing of personal data, without prejudice.

What we do with your data

This privacy notice is intended to provide information about how we will use (or “process”) personal data about individuals including: its current, former and prospective staff; its current, past and prospective pupils; their parents, carers or guardians (referred to in this document as “parents”); suppliers of goods and services to the School; and any other members of the Durham Cathedral Schools Foundation Community.

This information is provided in accordance with the rights of individuals under Data Protection Law to understand how their data is used. All members of the Durham Cathedral Schools Foundation Community are encouraged to read this Privacy Notice and understand the school s obligations to its entire community.

This Privacy Notice applies alongside any other information we may provide about a particular use of personal data, for example when collecting data via an online or paper form.

This Privacy Notice applies in addition to our other relevant terms, conditions and policies. These include but are not limited to:

• any contract between the School and its staff or the parents of pupils;
• The School’s policy on taking, storing and using images of children;
• the School s CCTV (where used);
• the School s retention of records policy;
• the School’s safeguarding, pastoral, or health and safety policies, including as to how concerns or incidents are recorded; and the School’s IT policies, including its Acceptable Use policy, Wi-Fi policy, Remote Working policy and Bring Your Own Device policy.
• Anyone who works for, or acts on behalf of, Durham Cathedral Schools Foundation (including staff, volunteers, governors and service providers) should also be aware of and comply with this Privacy Notice and all relevant school policies.

Why the School needs to process personal data

The lawful basis for data processing as set out in data protection law includes the following:

• Contract
• Legal obligation
• Vital interest
• Public Task
• Legitimate interest
• Consent

All six basis are equally valid for processing data but we are obliged to inform you of the basis under which we process your data.

We will always seek to process data only when necessary. We will be targeted in and proportionate in our processing to achieve a purpose.

In order to carry out our ordinary duties to members of the Durham Cathedral Schools Foundation Community (including staff, pupils, former pupils and parents) we may process a wide range of personal data about individuals (including current, past and prospective staff, pupils or parents) as part of our daily operation.

We will need to carry out some of this activity in order to fulfil our legal rights, duties or obligations including those under a contract with its staff, or parents of its pupils.

Other uses of personal data will be made in accordance with our legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impact on individuals, and provided it does not involve special or sensitive types of data.

We expect that the following uses may fall within the category of the Schools (or its community s) legitimate interests:

• For the purposes of pupil selection (and to confirm the identity of prospective pupils and their parents);
• To provide education services, including musical education, physical training or spiritual development, career services, and extra-curricular activities to pupils, and monitoring pupils’ progress and educational needs;
• Maintaining relationships with parents, alumni and the School community, including direct marketing or fundraising activity;
• For the purposes of donor due diligence, and to confirm the identity of prospective donors and their background and relevant interests (Building profiles of supporters and targeting communications);
• For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as diversity or gender pay gap analysis and taxation records);
• To enable relevant authorities to monitor the School’s performance and to intervene or assist with incidents as appropriate;
• To give and receive information and references about past, current and prospective pupils, including relating to outstanding fees or payment history, to/from any educational institution that the pupil attended or where it is proposed they attend; and to provide references to potential employers of past pupils;
• To enable pupils to take part in national or other assessments, and to publish the results of public examinations or other achievements of pupils of the School;
• To safeguard pupils’ welfare and provide appropriate pastoral care;
  To monitor (as appropriate) use of the School’s IT and communications systems in accordance with the School’s IT: acceptable use policy;
• To make use of photographic images of current and former pupils, staff and parents in school publications, on the School website and (where appropriate) on the School’s social media channels in accordance with the School’s policy on taking, storing and using images of individuals;
• To enable payments to be made where appropriate to individual service providers.
• For security purposes, including CCTV in accordance with the School s CCTV policy; and
• Where otherwise reasonably necessary for the School’s purposes, including to obtain appropriate professional advice and insurance for the School;

In addition, we may need to process special category personal data (concerning health, ethnicity, religion, biometrics or sexual life) or criminal records information (such as when carrying out DBS checks) in accordance with rights or duties imposed on us by law, including as regards safeguarding and employment, or from time to time by explicit consent where required.

These reasons may include:

• To safeguard pupils’ welfare and provide appropriate pastoral (and where necessary, medical) care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual’s medical condition where it is in the individual’s interests to do so: for example, for medical advice, social services, insurance purposes or to organisers of school trips;
• To provide educational services in the context of any special educational needs of a pupil;
• To provide spiritual education in the context of any religious beliefs;
• In connection with employment of its staff and volunteers, for example DBS checks, welfare or pension plans;
• To provide suitable food and drink at School or an event while being respectful of religious, cultural and or medical requirements, including allergies.
• To run any of its systems that operate on biometric data, such as for security and other forms of pupil identification (lockers, lunch etc.); or
• For legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with our legal obligations and duties of care.

We will rely on consent only where absolutely necessary. Specifically, this will include receiving your consent to send you electronic communications to comply with GDPR and PECR regulations.

Types of personal data we process

This will include by way of example:

• names, addresses, telephone numbers, e-mail addresses and other contact details;
• car details (about those who use our car parking facilities);
• bank details and other financial information, e.g. about parents who pay fees to the School;
• past, present and prospective pupils’ academic, disciplinary, admissions, assessment and attendance records (including information about any special needs), and examination scripts and marks;
• where appropriate, information about individuals’ health, and contact details for their next of kin;
• records of gifts made and any gift aid declarations
• references given or received by the School about pupils, and information provided by previous educational establishments and/or other professionals or organisations working with pupils; and
• images of pupils, staff and parents (and occasionally other individuals) engaging in school activities, and images captured by the School’s CCTV system (in accordance with the School’s policy on taking, storing and using images);

Where we collect information about you from

We collect information in the following ways:

When you give it to us directly

You may give us your information as a prospective, current or former pupil, or member of staff, or parent, or in order to receive information from the School, sign up for one of our events, donate, purchase our products or communicate with us. Sometimes when you support us, your information is collected by an organisation working for us (e.g. an online payment company or by using olddunelmians.org.uk), but we are responsible for your data at all times.

When you give it to us indirectly

Your information may be shared with us by independent organisations for example fundraising sites like Just Giving or Virgin Money Giving. These independent third parties will only do so when you have indicated that you wish to share your details with the School and with your consent. You should check their Privacy Policy when you provide your information to understand fully how they will process your data.

When you give permission to other organisations to share or it is available publicly

We may receive and record information from organisations such as UCAS or individual universities that we use to better understand our former pupils university choices and to inform careers and university advice given to current pupils.

We may combine the information you provide to us with information available from external sources in order to gain a better understanding of our supporters to improve our fundraising methods, products and services.

The information we get from other organisations may depend on your privacy settings on these sites or the responses you give, so you should regularly check them. This information comes from the following sources:

Third-party organisations

You may have provided permission for a company or other organisation to share your data with third parties, including charities. This could be when you buy a product or service, register for an online competition or sign up with a comparison site.

Social Media

Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you might permit us to access information from those accounts or services. By joining an official School (including Old Dunelmian or Friends of) page or group in social media, you consent to allow us to contact you through that platform.

Information available publicly

This may include information found in places such as Companies House and information that has been published in articles/newspapers. Registers of ODs were regularly published by the OD Society between 1912 and 1991. This information is already in the public domain.

When we collect it as you use our websites

Like most websites, we use cookies to help us make our sites and the way you use them better. Cookies mean that a website will remember you. They are small text files that sites transfer to your computer (or phone or tablet). They make interacting with a website faster and easier for example by automatically filling your name and address in text fields.

In addition, the type of device you are using to access our website and the settings on that device may provide us with information about your device, including what type of device it is, what specific device you have, what operating system you are using, what your device settings are, and why a crash has happened. Your device manufacturer or operating system provider will have more details about what information your device makes available to us.

Some cookies and online tools are provided by third-party service providers. Where this involves a transfer of personal data outside the UK, appropriate safeguards are applied in accordance with our section on International Transfers of Personal Data.

Cookies & Similar Technologies

Our websites use cookies and similar technologies (such as web beacons and local storage) to improve your experience, secure the site, and understand how the site is used. Cookies are small text files placed on your device when you visit a website.  More information about what information is collected by cookies on our site can be found under our Cookies Policy.

Types of Cookies We Use

We categorise cookies as follows:

1. Strictly Necessary Cookies
   These are essential to provide the basic functions of our websites and cannot be switched off in our systems. Examples include cookies that enable secure login, maintain website security, or remember information you have entered during a session. You do not need to consent to these for the website to function.
2. Non-Essential Cookies (Consent Required)
   These include cookies for:

• • Website analytics and performance
  • Functional enhancements
  • Third-party embedded content
  • Tracking services
    These cookies will only be placed after you have explicitly consented.

How We Obtain Your Consent for cookies

When you first visit our website, you will be presented with a cookie banner that explains:

• What cookies we use
• Why we use them
• Which third parties may set cookies

You will be asked to accept or reject non-essential cookies before they are placed on your device. Simply continuing to browse our website does not count as consent under the law. You may also select which categories of non-essential cookies you consent to.

Managing Your Cookie Preferences

You can change or withdraw your consent at any time by using the cookie settings tool on our website (available via a link in the footer) or through your browser settings.

Please note that disabling non-essential cookies may affect your experience on parts of the site.

Third-Party Cookies

Some cookies may be set by third parties such as analytics or social media providers. Where this is the case, we will:

• Clearly name those third parties
• Explain what the cookies do and how they are used
• Ensure they are only set after you have given consent

Legal Basis

We rely on consent for non-essential cookies under the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR’s standard for consent, which means you must take a clear positive action (e.g., clicking “Accept”) before those cookies are used.

CCTV

Some parts of our campus may be monitored by CCTV. These areas are clearly marked by suitable signage. We use any video and audio recorded to protect our pupils, staff and visitors while they are on-site, to deter crime, and to help maintain good order within the School grounds. We retain this information for a period of up to three months. Access to CCTV footage is controlled. CCTV footage may be passed on to the Police or other relevant authorities.

Who helps us process your data?

Occasionally, we will need to share personal information relating to our community with third parties, such as:

• professional advisers (e.g. lawyers, insurers, PR advisers and accountants);
• government authorities (e.g. HMRC, DfE, police or the local authority); and
• appropriate regulatory bodies (e.g. The Independent Schools Inspectorate, The Charity Commission or the Information Commissioner).
• The Old Dunelmian Society
• The Friends of DCSF
• The Langley Foundation
• The Burkitt Trust
• Durham Cathedral

For the most part, personal data collected by the School will remain within the School, and will be processed by appropriate individuals only in accordance with access protocols (i.e. on a need to know basis).

Particularly strict rules of access apply in the context of:

• medical records held and accessed only by the School medical team and appropriate medical staff under his/her supervision, or otherwise in accordance with express consent; and
• pastoral or safeguarding files.

However, staff will need to be provided with a certain amount of relevant information about any Special Educational Needs (SEN) pupil more widely in the context of providing the necessary care and education that the pupil requires.

Staff, pupils and parents are reminded that the School is under duties imposed by law and statutory guidance (including Keeping Children Safe in Education) to record or report incidents and concerns that arise or are reported to it, in some cases regardless of whether they are proven, if they meet a certain threshold of seriousness in their nature or regularity. This is likely to include file notes on personnel or safeguarding files, and in some cases referrals to relevant authorities such as the Local Authority Designated Officer) LADO or police. For further information about this, please view the School s Safeguarding Policy.

Finally, in accordance with Data Protection Law, some of the School’s processing activity is carried out on its behalf by third parties, such as IT systems providers, web developers or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only processed following our specific directions.

How we store your data

We store your data securely on our network and on remotely held secure servers within the EEA. We regularly back up our data to a secure remote server.

Data collected using a third-party application, such as Jot Form, will be stored on the third-party s server. We only use third parties which comply with all relevant GDPR information.

Physical data is stored securely in offices at School. Access to physical and digitally held data is restricted to appropriate school staff and volunteers.

How long we keep personal data

We will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Typically, the legal recommendation for how long to keep ordinary staff and pupil personnel files is up to seven years following departure from the School. However, incident reports and safeguarding files will need to be kept much longer, in accordance with specific legal requirements.

Specific details of a pupil s time at school are passed to the Old Dunelmian database and stored indefinitely for alumni.

If you have any specific queries about how our retention policy is applied, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact the GDPR team GDPR@dcsf.org.uk. However, please bear in mind that we will often have lawful and necessary reasons to hold on to some personal data even following such request.

A limited and reasonable amount of information will be kept for archiving purposes, for example; and even where you have requested we no longer keep in touch with you, we will need to keep a record of that fact in order to fulfil your wishes (called a “suppression record”).

Keeping in touch and supporting the School

The School will use the contact details of parents, alumni and other members of the School community to keep them updated about the activities of the School, or alumni and parent events of interest, including by sending updates and newsletters, by email and by post. Unless the relevant individual objects, the School will also:

• Share personal data about parents and/or alumni, as appropriate, with organisations set up to help establish and maintain relationships with the School community, such as The Friends of DCSF and The Old Dunelmian Society.
• Contact parents and/or alumni (including via the organisations above) by post and email in order to promote and raise funds for the School;
• Collect information from publicly available sources about parents’ and former pupils’ occupation and activities, in order to maximise the School’s fundraising potential, improve the School s careers programme and improve community reach.

Should you wish to limit or object to any such use, or would like further information about them, please contact the GDPR Team in writing. You always have the right to withdraw consent, where given, or otherwise object to direct marketing or fundraising. However, we are nonetheless likely to retain some of your details (not least to ensure that no more communications are sent to that particular address, email or telephone number).

Your Rights

Under UK data protection law, individuals have the following rights in relation to their personal data. These rights are subject to certain legal exemptions and limitations.

Your rights include:

• The right of access – to request a copy of the personal data we hold about you
• The right to rectification – to request correction of inaccurate or incomplete data
• The right to erasure – to request deletion of personal data where there is no lawful reason for us to retain it
• The right to restrict processing – to request that we limit how we use your data
• The right to data portability – to receive certain personal data in a structured, commonly used and machine-readable format
• The right to object – to processing based on legitimate interests, including profiling and direct marketing
• The right to withdraw consent – where processing is based on consent
• The right to complain – to the Information Commissioner’s Office (ICO)

Rights of access

Individuals have various rights under Data Protection Law to access and understand personal data about them held by the School, and in some cases ask for it to be erased or amended or have it transferred to others, or for the School to stop processing it but subject to certain exemptions and limitations.

Any individual wishing to access or amend their data or wishing it to be transferred to another person or organisation, or who has some other objection to how their personal data is used, should in the first instance contact the relevant department of the School or if they are unsure who this might be they should address their concerns to the GDPR Team. GDPR@dcsf.org.uk

We will endeavour to respond to any such requests as soon as is reasonably practicable and in any event within statutory time limits.

We will be better able to respond quickly to smaller, targeted requests for information. If the request for information is manifestly excessive or similar to previous requests, the School may ask you to reconsider or require a proportionate fee (but only where Data Protection Law allows it).

Requests that cannot be fulfilled

You should be aware that the right of access is limited to your personal data, and certain data is exempt from the right of access. This will include information which identifies other individuals (and parents need to be aware this may include their own children, in certain limited situations please see Pupil Requests below), or information which is subject to legal privilege (for example legal advice given to or sought by the School, or documents prepared in connection with a legal action).

We are not required to disclose any pupil examination scripts (or other information consisting solely of pupil test answers), provide examination or other test marks ahead of any ordinary publication, nor share any confidential reference given by the School itself for the purposes of the education, training or employment of any individual.

You may have heard of the “right to be forgotten”. However, we will sometimes have compelling reasons to refuse specific requests to amend, delete or stop processing your (or your child’s) personal data: for example, a legal requirement, or where it falls within a legitimate interest identified in this Privacy Notice. All such requests will be considered on their own merits.

Pupil requests

Pupils can make subject access requests for their own personal data, provided that, in the reasonable opinion of the School, they have sufficient maturity to understand the request they are making (see section Whose Rights? below). A pupil of any age may ask a parent or other representative to make a subject access request on his/her behalf.

Indeed, while a person with parental responsibility will generally be entitled to make a subject access request on behalf of younger pupils, the law still considers the information in question to be the child’s: for older pupils, the parent making the request may need to evidence their child’s authority for the specific request.

Pupils at Durham Cathedral Schools Foundation are generally assumed to have this level of maturity, although this will depend on both the child and the personal data requested, including any relevant circumstances at home. Younger children, particularly those in their final year at Bow, may however be sufficiently mature to have a say in this decision, depending on the child and the circumstances.

Parental requests

It should be clearly understood that the rules on subject access are not the sole basis on which information requests are handled. Parents may not have a statutory right to information, but they and others will often have a legitimate interest or expectation in receiving certain information about pupils without their consent. We may consider there are lawful grounds for sharing with or without reference to that pupil.

Parents will in general receive educational and pastoral updates about their children. Where parents are separated, the School will in most cases aim to provide the same information to each person with parental responsibility, but may need to factor in all the circumstances including the express wishes of the child.

All information requests from, on behalf of, or concerning pupils whether made under subject access or simply as an incidental request will therefore be considered on a case-by-case basis.

Complaints

If you believe that we have not handled your personal data appropriately, you may raise a concern via the School’s complaints procedure or contact the DPO directly.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO). The ICO recommends that concerns are raised with the organisation first wherever possible.

Consent

Where we are relying on consent as a means to process personal data, any person may withdraw this consent at any time (subject to similar age considerations as above). Examples where we do rely on consent include certain types of marketing and fundraising activity. Please be aware however that the School may not be relying on consent but have another lawful reason to process the personal data in question, even without your consent.

That reason will usually have been asserted under this Privacy Notice, or may otherwise exist under some form of contract or agreement with the individual (e.g. an employment or parent contract, or because a purchase of goods, services or membership of an organisation such as an alumni or parents’ association has been requested).

Whose rights?

The rights under Data Protection Law belong to the individual to whom the data relates. However, the School will often rely on parental authority or notice for the necessary ways it processes personal data relating to pupils for example, under the parent contract, or via a form. Parents and pupils should be aware that this is not necessarily the same as the School relying on strict consent (see section Consent above).

Where consent is required, it may in some cases be necessary or appropriate given the nature of the processing in question, and the pupil’s age and understanding to seek the pupil’s consent. Parents should be aware that in such situations they may not be consulted, depending on the interests of the child, the parents rights at law or under their contract, and all the circumstances.

In general, the School will assume that pupil consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the pupil’s activities, progress and behaviour, and in the interests of the pupil’s welfare. That is unless, in the School’s opinion, there is a good reason to do otherwise.

However, where a pupil seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, the School may be under an obligation to maintain confidentiality unless, in the School’s opinion, there is a good reason to do otherwise; for example, where the School believes disclosure will be in the best interests of the pupil or other pupils, or if required by law.

Pupils are required to respect the personal data and privacy of others, and to comply with the School’s policies and the School rules. Staff are under professional duties to do the same covered under the relevant staff policy. Staff are also required to respect the personal data and privacy of others and comply with all School polices.

Data Accuracy and Security

We will endeavour to ensure that all personal data held in relation to an individual is as up-to-date and accurate as possible.

Where possible we use publicly available sources to keep your records up to date; for example, the Post Office s National Change of Address database and information provided to us by other organisations as described above. We regularly contact parents, ODs and Friends of the School with ways they can update their information and have self-update systems in place for these users.

We appreciate it if you let us know if your contact details change by contacting us at GDPR@dcsf.org.uk.

An individual has the right to request that any out-of-date, irrelevant or inaccurate information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law): please see above for details of why we may need to process your data, of who you may contact if you disagree.

The School will take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around the use of technology and devices, and access to school systems. All staff, volunteers and governors will be made aware of this notice and their duties under Data Protection Law and will receive relevant training.

Direct Marketing

We will contact you to let you know about activities at the Foundation, including at Durham School and Chorister School, news about current and former pupils, and to ask for donations or other support.

Occasionally, we may include information from partner organisations or organisations who support us in these communications.  We do not sell personal details to third parties.

We make it easy for you to tell us how you want us to communicate, in a way that suits you.

If you do not want to hear from us, that is fine. Just let us know when you provide your data or contact us at GDPR@dcsf.org.uk.

We do share some information with The Old Dunelmian Society and The Friends of DCSF. We have a statutory duty to share some information when requested with government bodies when requested.

Photographs

We use photographs of pupils, parents, staff, ODs, volunteers and other guests at School events for marketing, fundraising and other publicity purposes. We understand there are many valid reasons why you may not wish us to use your photograph or photographs of your children in this way. This is fine, just let us know you would like to opt out of giving your photography permission by contacting us at GDPR@dcsf.org.uk.

Pupil Data

Pupil data is updated on a regular basis by staff, parents and pupils. Parents and Pupils are regularly invited to update pupil data where necessary.

Sharing your story

Some people choose to tell us about their experiences at the School and or share photographs and memorabilia from their time at the School. They may also share stories about their life before or after their time with the School.

If we have the explicit and informed consent of the individual, or their parent or guardian if they are under 18, we may share your story at events, in materials promoting the School or in documents such as The Dunelmian Magazine.

Photographs and other artefacts or documents in our archives may be used at events, in materials promoting the School or in documents such as The Dunelmian Magazine.

Your right to know what we know about you, make changes or ask us to stop using your data

You have a right to ask us to stop processing your personal data, and if it is not necessary for the purpose you provided it to us for (e.g. processing your donation or registering you for an event) we will do so. Contact us at GDPR@dcsf.org.uk and for further information see the Information Commissioner’s guidance on the ICO Website.

If you believe that we have not complied with this notice or acted otherwise than in accordance with Data Protection Law, they should utilise the School complaints procedure and should also notify the GDPR Team. You can also make a referral to or lodge a complaint with the Information Commissioner s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with the School before involving them.

Building profiles of supporters and targeting communications

We use profiling and screening techniques to ensure communications are relevant and timely, and to provide an improved experience for our supporters. Profiling also allows us to target our resources effectively, which supporters consistently tell us is a key priority for them. We do this because it allows us to understand the background of the people who support us and helps us to make appropriate requests to supporters who may be able and willing to give more than they already do. Importantly, it enables us to raise more funds, sooner, and more cost-effectively, than we otherwise would.

When building a profile, we may analyse geographic, demographic and other information relating to you in order to better understand your interests and preferences in order to contact you with the most relevant communications. In doing this, we may use additional information from third-party sources when it is available. Such information is compiled using publicly available data about you, for example, addresses, listed Directorships or typical earnings in a given area.

No decisions producing legal or similarly significant effects are made solely by automated means.

You have the right to object to profiling even where lawful basis is legitimate interests. To do so please contact the DPO.

International Transfers of Personal Data

Durham Cathedral Schools Foundation is based in the United Kingdom. As a general rule, we store and process personal data within the UK or the European Economic Area (EEA).

However, some of the third-party service providers we use (for example, providers of IT systems, cloud services, website analytics, online forms, fundraising platforms or communication tools) may process personal data outside the UK and/or EEA.

Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place to protect your data in accordance with UK data protection law. These safeguards may include:

• Transfers to countries which have been deemed to provide an adequate level of protection for personal data under UK law;
• The use of approved contractual safeguards, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; and
• Where required, the completion of transfer risk assessments and the implementation of supplementary measures to ensure that personal data remains adequately protected.
  We only transfer personal data internationally where it is necessary for the operation of our services and where appropriate protections are in place.

Further information about international transfers and the safeguards we use can be obtained by contacting the Data Protection Officer at GDPR@dcsf.org.uk.

Changes to this Notice

We may change this Privacy Notice from time to time. If we make any significant changes in the way we treat your personal information we will make this clear on the Durham Cathedral Schools Foundation or Old Dunelmian Website or by contacting you directly. If you have any questions, comments or suggestions, please let us know by contacting the GDPR Team.

Legitimate Interests

Where the Foundation relies on legitimate interests as the lawful basis for processing personal data, this will only be where the processing is necessary for the Foundation’s legitimate purposes and does not override the rights, freedoms or legitimate interests of the individual.

In such cases, the Foundation carries out a Legitimate Interests Assessment (LIA) which considers:

• the purpose and necessity of the processing;
• whether the same aim can be achieved in a less intrusive way; and
• the potential impact on individuals and the safeguards in place to protect their interests.

Legitimate interests may include, for example, delivering education effectively, maintaining school operations and security, communicating with parents and alumni, fundraising activities, and promoting the Foundation’s aims.

Individuals have the right to object to processing based on legitimate interests, and such objections will be considered carefully in accordance with data protection law.

Further information about our use of legitimate interests and the assessments we carry out is available on request by contacting the GDPR Team.

Legal Underpinning of this Privacy Notice

Various laws underpin this Privacy Notice and are relevant to Durham Cathedral Schools Foundation.

Please note that independent schools are not subject to the specific information provisions (including the parental right to see the pupil record, and Freedom of Information).

7 December 2025

ACB

Specific Information

Accidents and Incidents

Durham Cathedral Schools Foundation keeps a record of all accidents and near miss incidents that occur on-site or as part of its activities. This is a legal requirement and helps us to monitor the health and safety of Staff, Pupils, and other visitors. Anyone who sustains an injury while on site or working away on School business, should complete an accident report.

Admissions

Agents

Durham Cathedral Schools Foundation occasionally uses agents to assist in the recruitment of pupils. Where Durham Cathedral Schools Foundation receives information from an agent, it does so under the terms of the agent s privacy notice. Applicants who apply to Durham Cathedral Schools Foundation through an agent should familiarise themselves with their agent s privacy notice.

Applications & Enquiries

By completing an enquiry form or by making an enquiry in person, over the phone or by email you understand that your details will be processed to facilitate the admission of your children into the Foundation. You can remove yourself and your family from the admissions process at any time by contacting the admissions team.

Data collected during the admissions process will be used for a full range of marketing activities, including sending School publications, notification of open days and other recruitment events and the sending of SMS text messages. If you are an Old Dunelmian your details will be shared with the Development Office.

Unless you notify us otherwise, emails, letters and other communications with applicants may be tracked and stored for up to 15 years to ensure that we are better able to tailor our future recruitment processes.

While processing your application, information concerning your child s performance at school, including their disciplinary record; school reports and examination results and financial information including information about the payment of fees may be requested from their current and or former schools.

Once a child has been admitted to the School the information on their formal application will form the basis of their pupil record and will be retained indefinitely.

Bursaries

In order to assess applications for bursaries fairly, the School requests information and documentation relating to the financial circumstances of those who have applied for means tested financial assistance. External publicly available information may also be sought. All such information is treated as highly confidential and access to this financial information is strictly limited. Means tested assistance is reviewed regularly, and the information provided during the assessment process is stored for up to seven years after the pupil leaves the School. Records of named awards such as Burkitt, King s, Peter Lee and Langley are recorded on an ODs record.

Archives

Records considered to be of historic value are retained in Durham Cathedral Schools Foundation s archive indefinitely.

We share photographs and publications from our archives at events, through Durham Cathedral Schools Foundation community websites and through our social media platforms and process such information as a legitimate interest of the School.

While the vast majority of our collections date from a time where the majority of individuals are deceased, and so not subject to data protection legislation, some academic research may be interested in living individuals associated with the School. Personal data concerning living individuals, which is not in the public domain, is unavailable to researchers, unless the subject of the information provides written consent.

Current and Former Parents and Guardians

As a current or former parent your data will be used for a full range of activities, including sending School publications, collection of School Fees, promotion of benefits and services available to parents and former parents, notification of Friends of DCSF events and the sending of SMS text messages. Data will also be used in the School fundraising programmes and related research, which in turn may include wealth screening and analysis. Emails, letters and other communications with the School and The Friends of DCSF may be tracked and stored to ensure that we are better able to tailor our future communications.

Guardians for overseas pupils are a key part of the pupils experience in British education. Many of our full boarders live overseas and have a guardian and/or host family living in the UK who can act as a first point of contact with the School. As such, the School processes data for guardians in the same way as it processes data held for current parents.

Wealth Screening

As a fundraising organisation, we undertake in- ‐house research and from time to time engage specialist agencies such as Prospecting for Gold to gather information about you from publicly available sources, for example, Companies House, the Electoral Register, company websites, rich lists , social networks such as LinkedIn, political and property registers and news archives.

We may also carry out wealth screening to fast track the research using our trusted third-party partners. You will always have the right to opt out of this processing. We may also carry out research using publicly available information to identify individuals who may have an affinity to our cause but with whom we are not already in touch. We also use publicly available sources to carry out due diligence on donors in line with our code of ethical fundraising and to meet money laundering regulations.

This research helps us to understand more about you as an individual so we can focus conversations we have with you about fundraising and volunteering in the most effective way, and ensure that we provide you with an experience as a donor or potential donor which is appropriate for you.

If you would prefer us not to use your data in this way, please email us at development@dcsf.org.uk

Current Pupils

We hold personal data pertaining to children and use it to: support their teaching and learning; monitor and report on their progress; provide appropriate pastoral care; and assess how well we are doing as a school.

This information includes a pupil s contact details, national curriculum assessment results, attendance information and personal characteristics such as ethnic group, any special educational needs and relevant medical information. If enrolling for post 14 qualifications we may be provided with their unique learner number (ULN) by the Learning Records Service and may also obtain from them details of any learning or qualifications undertaken. Durham Cathedral Schools Foundation issues all pupils with a Unique Pupil Number (UPN)

Activities / Trips / Visits

Durham Cathedral Schools Foundation collects and shares such information as necessary to facilitate pupil trips and visits both as part of its regular curriculum and as part of its co-curriculum programme. For example, it may be necessary to share medical information with staff taking a trip out of School.

Display and Storage of Pupils Work

As part of the normal operation of the School it is necessary to collect, mark, display and distribute pupils work. For the most part personal information gathered during this process will be purely incidental for example the name on the top on an essay. Staff must be cautious when arranging for the display or circulation of work that it does not inadvertently share biographical or other personal data. For example, a birthday wall in an EYFS classroom should not contain the date of birth, only the month a child is born.

Grading of work, and the storage of those grades will be collected by staff and shared with other staff as necessary to provide a suitable learning experience for pupils and for monitoring and assessing pupils, staff and our educational programmes. Marks may be shared with external bodies such as Examination Boards and or baseline assessment providers such as MidYIS.

Chapel

The School Chapel is used for Christian religious services by pupils, parents, staff, ODs and their families. There is a guest book in chapel in which visitors are free to make comments.

For marriage and baptisms Durham Cathedral Schools Foundation will share data, as a matter of contract, with the Diocese of Durham where requested. The official registers for the chapel are stored in an appropriate safe.

For a marriage to be legally solemnized in Durham Cathedral Schools Foundation Chapel it may be necessary to apply for dispensation to marry in Chapel and here data will be shared with the diocese and wider Anglican church administration to obtain all suitable licenses and permissions. A record of a marriage will by legal necessity be shared with the General Registry Office.

Candidates for Confirmation will be asked to grant consent for their data to be shared between Durham Cathedral Schools Foundation and the Diocese of Durham.

The School has a tradition of allowing former pupils to pay to have their names and years at school carved into the pews in chapel. A record of this is stored electronically in the Estates department and on the records of ODs on the OD Database. A printed copy of the locations of carvings is stored for use by visitors in the Chapel.

Durham Cathedral Schools Foundation has a legitimate interest in recording which ODs have been married, confirmed and baptised in its Chapel for both religious and alumni relations purposes. This data will form part of their Old Dunelmian record.

Duke of Edinburgh Award

Pupils who are enrolled in the Duke of Edinburgh Award scheme will be asked to submit information to DofE directly. This information is not processed by Durham Cathedral Schools Foundation. For more information about how the DofE process data please visit https://www.dofe.org/privacy-statement

Medical Records

When a pupil accepts a place at Durham Cathedral Schools Foundation, data relating to the health and medical record of that pupil will be collected. This might include medical records, details of any illnesses, allergies or other medical conditions suffered by the pupil.

Medical Records are Special Category Data, and the School uses this information in order to safeguard and promote the welfare of its pupils, for example the School uses details of any medical conditions so that staff will be able to respond appropriately in the event of a medical emergency. Medical information will be collated by the School Medical Centre and through a pupil s House. Medical record pertaining to a pupil will be destroyed after the pupil s 25th birthday.

Special Educational Needs (SEN)

When a pupil accepts a place at Durham Cathedral Schools Foundation, data relating to any disabilities and or special educational needs of that pupil will be collected. This might include by way of example medical records and or records of SEN assessments. The School will collect this information through the Medical Centre, Houses, Teaching Staff and through its SEN team.

SEN Data is Special Category Data. Relevant SEN information will be shared with Durham Cathedral Schools Foundation Staff where appropriate to ensure that pupils with special educational needs are given the best possible learning, co-curricular and pastoral experience. Relevant information will also be shared externally with appropriate educational bodies for example with an examination or other awarding body. SEN information will also be used to measure the effectiveness of our SEN programme. SEN records pertaining to a pupil will be destroyed after the pupil s 25th birthday.

Public Examination Results

It has long been a tradition in the UK for public examination results, such as GCSE and A Levels, to be shared in the local media, such as on websites and in the local press. These may appear either in order of attainment, or alphabetically. Students or their parents may request not have their results published and should contact GDPR@dcsf.org.uk to make such a request. Similarly, winners of School prizes, Captains of Sport, Heads of School, Oxbridge Scholars and other notable achievements are celebrated on Honours Boards within the School, and are shared in publications su ch as the Speech Day Programme and the School Magazine.

Anonymised academic results may be shared with other organisations to facilitate the compilation of league tables and other metrics including value added .

Youth Support Services

Once a child is aged 13 or over, we are required by law to pass on certain information to providers of youth support services. This is the local authority support service for young people aged 13 to 19 in England. We must provide both the child s name and address, and that of their parents, and any further information relevant to the support services role. Once a child is 16 years old, they or their parents can request that no information beyond names, address and your date of birth be passed to the support service.

Debtors

Durham Cathedral Schools Foundation reserves the right to pursue all debtors to the School and organisations within the School Community. In extreme cases, we may work with a debt collection agency. Any actions taken to recover debts will be reasonable and proportionate to the amount owed. If we are unable to contact you using the contact information you have provided we reserve the right to use that data to trace your current contact details to enable the matter to be resolved.

Due Diligence

There are a number of occasions where it is prudent for Durham Cathedral Schools Foundation to run checks into the background of suppliers, bursary recipients, supporters, parents and Old Dunelmians. For example, if a support pledges a large gift to the School or where the School intends to make a significant purchase from a supplier. Where the School deem it necessary to do so we reserve the right to perform credit checks and other legitimate forms of due diligence processing.

EYFS

Data from the Early Years Foundation Stage, in the form of photographs and observations is shared with parents through the Tapestry system. Where parents claim early years funding we share that information with government agencies for reporting and monitoring purposes, including pupil name, age and attendance data.

Email

By its very nature, all email contains personal data, and Durham Cathedral Schools Foundation takes a number of steps to secure its email systems. By emailing Durham Cathedral Schools Foundation the contents of your email, including your email address will be logged and stored on the School s IT systems. Your email address will then be used for future relevant correspondence, unless you request otherwise.

Events

By booking to attend a School, Old Dunelmian Society or Friends of DCSF event, you agree that your data may be processed by Durham Cathedral Schools Foundation in order to facilitate your attendance at that events and similar future events that we believe may be of interest to you. This is processed under the legitimate interests of the Foundation. If you would rather not be informed of future events please do let us know by contacting GDPR@dcsf.org.uk.

Food and Drink

Where necessary we may collect and store meal preferences and information about allergies and other food related medical conditions for use in events both on and off site and for serving meals at School. As this information may include special category data about medical conditions and or ethnicity and religious beliefs.

Gifts

Records of gifts, including Gift Aid, will be kept indefinitely so we can continue to engage with supporters and their families. Donors are asked if they would like their gifts recognised publicly and have the option of being able to opt out of doing so.

IT

Use of our WIFI and other networks is monitored. We may record how many times you use a service, where you use it, at what times you use it, the quantity of data traffic and how long each session lasts as well as which sites you access. This information helps us to build a profile of our users for statistical purposes and to improve how we provide our service to you. IT usage that infringes our acceptable use policy may be shared with the relevant staff and or authorities so that appropriate action can be taken.

Most of this data will be aggregated into groups, which means that we will not be able to identify you individually. However, to enforce our acceptable use policy we may collect identifying information about you and your devices including IP address, cookies, and or user information.

Our IT systems are backed up offsite, and some of our systems use cloud-based storage. Off-site storage of data only happens on secure regulated servers within the UK or EU. Some data is collected using online forms. This data is also stored securely on the cloud.

Lettings

Any individual entering into a contract to let or rent part of Durham Cathedral Schools Foundation s facilities agrees to the School processing their data to fulfil the contract. We will also use your data to offer you information about similar opportunities in the future. With your consent we may also use information to promote future events and lettings.

Old Dunelmians (ODs / Alumni / Former Pupils)

As a former pupil, your data will be used for a full range of alumni activities, including sending School publications, promotion of benefits and services available to alumni, notification of alumni events and the sending of SMS text messages. Your data will also be used in the School fundraising programmes and related research, which in turn may include wealth screening and analysis. Emails, letters and other communications with the School and OD Society may be tracked and stored, to ensure that we are better able to tailor our future communications.

Sales

To fulfil our obligations to individuals who purchase items of uniform or merchandise we will need to process your personal data. This will include payment information, order details, and if delivering an item, contact details. When arranging delivery, we will need to pass your contact details to a third-party delivery company. This data will include geographical address, email and phone number.

Scholarships

Pupil s records will include all scholarships and awards. After leaving records of awards such as Burkitt, Peter Lee and King are recorded on an ODs record.

Self Employed Staff

We process personal data relating to self-employed staff at Durham Cathedral Schools Foundation. This is for employment purposes and to assist in the running of the School, for example to enable appropriate background checks to be completed.

Staff & PGCE Students

We process personal data relating to those we employ to work at, or otherwise engage to work at, Durham Cathedral Schools Foundation. This is for employment purposes to assist in the running of the School and to fulfil our contractual arrangements, for example enabling individuals to be paid and to enable appropriate background checks to be completed.

This personal data includes identifiers such as names and National Insurance numbers and characteristics such as employment contracts and remuneration details, qualifications and absence information. We will not share information about you with third parties without your consent unless the law requires us to.

Where a member of staff and their spouse is required to be resident on School premises we will collect information to enable us to carry out suitable background checks in relation to the spouse.

In addition, we process personal data relating to individuals applying for roles at the Foundation. This will include conducting searches for safeguarding purposes.

Information related to unsuccessful applicants is destroyed within 12 months of their application being processed unless their consent has been given to retain the data.

In the case of PGCE students, Durham Cathedral Schools Foundation will share any information required by the student s institution as set out in the student s contract with the University.

When staff leave the School their contact details will be passed on to the Development Office to facilitate their continued involvement in OD and Friends of DCSF and to continue to receive publications such as The Dunelmian and OD eNews. Former staff wishing to receive these communications should contact the Development Office, od@dcsf.org.uk.

Suppliers of Goods and Services

Personal data relating to the suppliers of goods and services who are not corporate bodies is processed to enable the recording of transactions and the payment of monies due to the suppliers. This data will include name, address, telephone email and bank account details.

Where the supplier operates on School premises, it may also be necessary to undertake background checks on the supplier and or their employees.

Training

Durham Cathedral Schools Foundation encourages its staff, students and volunteers to undergo training from time to time. As part of this process, it may be necessary to share information such as previous qualifications, driver s licence details or other personal information with training providers and or awarding bodies. Records of such training are stored by The School.

Volunteers

We are grateful to ODs, parents and other friends of the School who give of their time to support School activities. We necessarily require volunteers to provide information including name, contact details, address and date of birth. Where required by law volunteers will need to supply further information to enable us to carry out suitable background checks. Volunteers who wish to receive communications from the School will be asked to share relevant data to enable that to happen..

Governors

School Governors are a special class of volunteer. They are the charity s trustees. We process personal data relating to Governors and prospective Governors of Durham Cathedral Schools Foundation. This data will be shared with external bodies including the Charity Commission and Companies House.

Trustees of other bodies

There are a number of other Durham Cathedral Schools Foundation-related charities including (but not limited to) The Langley Foundation, Burkitt Trust, The Friends of DCSF, The Old Dunelmian Society and recognised Durham Cathedral Schools Foundation Sports Clubs. The School may process data on behalf of these organisations and share such data as necessary with external bodies such as the Charity Commission and or Companies House.

Visitor Parking and Site Access

The School reserves the right to control access to parking using Automatic Number Plate Recognition systems and or manually checked parking permits. We may work with third parties to help us manage this process.

Access to the Cathedral site is controlled by Automatic Number Plate Recognition systems run by Durham County Council and or The Dean and Chapter of Durham Cathedral. In order to provide safe and continued vehicular access to our sites we may, from time to time, share relevant data, including name, address and car registrations with these providers.

Access to the Durham School stie site is controlled by Automatic Number Plate Recognition systems run by Creative Carparking. In order to provide safe and continued vehicular access to our sites we may, from time to time, share relevant data, including name, address and car registrations with these providers.

We may also collect data to help provide pick-up and drop-off permits for the local on street parking as issued in conjunction with Durham County Council.

Visitor Passes

When visitors arrive at one of our sites, we collect certain personal information to ensure their safety and the safety and security of our pupils, staff, other visitors, and facilities. The data we collect includes your name, organisation, the person you are visiting, the purpose of your visit, the time of your arrival and departure, and your vehicle registration if you have parked on site. Additionally, we will ask for your contact details to facilitate communication in case of an emergency while you are on-site. Where the technology is available, we also capture your digital image to produce an ID badge and keep a visual record of visitors on our premises.

The processing of visitor data is essential for fulfilling our public task of maintaining security across our sites. Your information helps us manage access to the buildings, track who is on-site at any given time, and respond appropriately in the event of an emergency. Photographs collected for visitor passes are securely stored and used solely for identification purposes during your visit. We may use third-party software to help us manage this processing.

If you are a parent or an Old Dunelmian, we may request additional information to ensure we have the most accurate and up-to-date contact details for our records. This allows us to communicate with you effectively regarding school matters and alumni events. In these cases, by providing your contact details you give explicit permission for us to use them to contact you for these purposes. You may withdraw your consent at any time.

Your current state: Allow these cookies (Necessary, Statistics, Marketing)
Change your consent | Withdraw your consent