Who we are
GTMatrix (the Company) is a specialist provider of student travel and welfare support services to UK private schools.
For the purposes of Data protection legislation the Data Controller is Global Talent Matrix Limited. Our data protection registration number is ZA287649.
What this policy is for
This policy is intended to provide information about how GTMatrix will process personal data about individuals, including: students; their parents and/or guardians; staff employed by schools attended by the students; our staff including chaperones; drivers.
This information is provided in accordance with the rights of the individuals under Data Protection Law to understand how their data is used.
This Privacy Notice applies alongside any other information GTMatrix may provide about a particular use of personal data.
This Privacy Notice also applies in addition to the Company’s other relevant terms and conditions and policies, including:
- any contract between the Company and its staff or the parents of students;
- the Company’s data policies, including policies on taking, storing and using images of children;
- the Company’s Data Security policy;
- the Company’s Child Protection and Safeguarding and health and safety policies, including how concerns or incidents are recorded; and
- the Company’s IT policies.
Anyone who works for, or acts on behalf of, the Company (including chaperones, Airport Guardians and service providers) should be aware of and comply with this Privacy Notice.
Responsibility for data protection
The Company has appointed David JH Williams (Director) as Privacy and Compliance Officer who will deal with all your requests and enquiries concerning the Company’s uses of your personal data (see section on Your Rights below) and endeavour to ensure that all personal data is processed in compliance with this policy and data protection law.
Mr David JH Williams
Global Talent Matrix Limited
Cheltenham GL50 2QS
020 3355 2858
Why the Company needs to process personal data
To carry out its activities as a business the Company may process a range of personal data about individuals, including school children, the parents or guardians of school children, school staff, host families, transport providers and their drivers, and other individuals related to the delivery of its services.
In addition, the Company may need to process special category personal data (concerning health, ethnicity, religion of biometrics) or criminal records information (such as when carrying out DBS checks) in accordance with rights or duties imposed on it by law, including as regards safeguarding and employment, or from time to time by explicit consent where required.
These reasons may include:
- To safeguard students’ welfare and provide appropriate pastoral (and where necessary, medical) care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual’s medical condition where it is in the individual’s interests to do so: for example, for medical advice, social services, insurance purposes or to chaperones or drivers;
- In connection with employment of its staff, for example DBS checks, welfare or pension plans;
- To run any of its systems that operate on biometric data, such as for security and other forms of student identification; or
- For legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with its legal obligations and duties of care;
- Hiring and on-boarding our ‘Airport Guardians’ chaperone team.
Types of personal data processed
This will include by way of example:
- names, addresses, telephone numbers, e-mail addresses and other contact details;
- where appropriate, information about individuals’ health, and contact details for their next of kin;
- details of travel plans, including flight details, departure and arrival address and details required to deliver an unaccompanied minor service;
- school information including contact details of house and house parents; and
- host family information including names, address and phone numbers;
- passport and visa information and date of birth.
How the Company collects personal data
The Company receives personal data from the individual directly (including, in the case of students, from their parents, guardian or school). This will be via a series of forms, spreadsheets, in the ordinary course of interaction and communications such as emails. Personal data may also be supplied by third parties (for example a school, guardianship, host, or other professionals or authorities working with that individual), collected from publicly available resources or from previous schools/employers in the case of staff.
Who has access to personal data and who the Company shares it with
The Company needs to share certain personal information with contractors and others outside its organisation, including transport providers and the parents or guardians of other students sharing the same transport.
Details of any medical issues or allergies which may be relevant during the transportation of the student will be shared with the chaperone and driver and any restrictions on the type of food that can be consumed in respect of such allergies may be shared with all those on the same transport.
In accordance with data protection law, some of the Company’s processing activity is carried out on its behalf by third parties, such as IT systems providers, software programmers, SAAS or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with the Company’s specific directions.
How long we keep personal data
The Company will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Typically, data will be deleted once the student has left school and no longer requires the Company’s services. However, incident reports and safeguarding files will need to be kept beyond this, in accordance with specific legal requirements. The Independent Enquiry into Child Sexual Abuse (IICSA) gives guidance on this matter and any data relating to actual or suspected child sexual abuse must be retained indefinitely. If you have any specific queries about how this policy is applied, or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact David Williams, firstname.lastname@example.org . However, please bear in mind that the Company may have lawful and necessary reasons to hold on to some data.
Individuals have various rights under data protection law to access and understand personal data about them held by the Company, and in some cases ask for it to be erased or amended or for the Company to stop processing it, but subject to certain exemptions and limitations.
Any individual wishing to access or amend their personal data, or wishing it to be transferred to another person or organisation, or who has some other objection to how their personal data is used, should put their request in writing to David Williams. The Company will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month in the case of requests for access to information. The Company will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, the Company may ask you to reconsider or charge a proportionate fee, but only where data protection law allows it.
You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal professional privilege.
Students can make subject access requests for their own personal data, provided that, in the reasonable opinion of the Company, they have sufficient maturity to understand the request they are making (see section Whose Rights below). Indeed, while a person with parental responsibility will generally be entitled to make a subject access request on behalf of younger students, the information in question is always considered to be the child’s at law.
A student of any age may ask a parent or other representative to make a subject access request on his/her behalf. Moreover (if of sufficient age) their consent or authority may need to be sought by the parent making such a request. Students aged 13 and above are generally assumed to have this level of maturity, although this will depend on both the child and the personal data requested, including any relevant circumstances at home.
All information requests from, or on behalf of, students – whether made under subject access or simply as an incidental request – will therefore be considered on a case by case basis.
Where the Company is relying on consent as a means to process personal data, any person may withdraw this consent at any time (subject to similar age considerations as above). Please be aware however that the Company may have another lawful reason to process the personal data in question even without your consent.
That reason will usually have been asserted under this Privacy Notice or may otherwise exist under some form of contract or agreement with the individual (eg an employment or parent contract, or because a purchase of services has been requested).
The rights under data protection law belong to the individual to whom the data relates. However, the Company will often rely on parental or school consent to process personal data relating to students (if consent is required) unless, given the nature of the processing in question, and the student’s age and understanding, it is more appropriate to rely on the student’s consent.
In general, the Company will assume that students’ consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the student’s whereabouts and behaviour, and in the interests of the student’s welfare, unless, in the Company’s opinion, there is a good reason to do otherwise.
Students are required to respect the personal data and privacy of others, and to comply with the school rules which are also applicable on all transport.
Data accuracy and security
The Company will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible.
The nature of the Company’s activities requires that the operations team has up to date information enabling them to contact the student at all times. Individuals, parents, guardians or schools must ensure the Company has up to date information about the student.
An individual has the right to request that any out-of-date, irrelevant or inaccurate information about them is erased or corrected (subject to certain exemptions and limitations under data protection law): please see above for details of why the Company may need to process your data and of who you may contact if you disagree.
The Company will update this Privacy Notice from time to time. Any substantial changes that affect your rights will be provided to you directly as far as is reasonably practicable.
Queries and complaints
Any comments or queries on this policy should be directed to David Williams using the following contact details.
David Williams, Director.
020 3355 2858
If an individual believes that the Company has not complied with this policy or acted otherwise than in accordance with data protection law, they should utilise the company complaints procedure and should also notify David Williams. The individual can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with the school before involving the regulator.