Privacy Notice

This Privacy Notice applies to all personal data and information processing activities performed by
Marlborough College - registered charity 309486, The Marlburian Club, Marlborough College
Enterprise Limited (MCEL) and subsidiary organisations, societies and clubs (Marlborough College
Concert Series (MCCS), Marlborough College Charity Fund (MCCF), Friends of Marlborough
Telescope (FOMT)). For the purpose of this notice all of these organisations will be termed “the

Marlborough College reserves the right to modify this Privacy Notice at any time. Please review it
occasionally. If the College makes changes to this Privacy Policy, the updated Privacy Policy will be
published in a timely manner and if it makes material changes, it will provide a prominent notice or
communicate any changes to draw attention to such changes.


The College is a data controller for the purposes of data protection.

The College processes data in accordance with current data protection legislation and this notice is
designed to give you information about how and why we process personal data as well as what types
of personal data is involved.

The College has appointed the Master, Louise Moelwyn-Hughes as the Data Protection Controller
(DPC) and Mark Armitage as Data Protection Officer (DPO) who will endeavour to ensure that all
personal data is processed in compliance with current data protection legislation, published policies
and contracts.

This privacy notice applies in addition to the published documents that provide information about
data protection, such as our Data Protection Policy, ICT Policy, CCTV Policy, or other specific

1. Why do we process personal data?

The College processes relevant personal data regarding members of staff, applicants for vacancies,
volunteers, visitors, pupils, parents, alumni, families, customers and suppliers as part of its day to
day operations, objectives, statutory obligations and interests as follows:

  • The selection and admission of pupils, including awarding and reporting relating to
    scholarships and bursaries.
  • The provision of education and related service to pupils and parents, including pupil
    records, results and reports, trips, co-curricular activities, sports, matches, exams, school
    curriculum, timetable, pupil and teacher exchanges, the Almanac, university applications and
  • The safeguarding of pupils, provision of pastoral and medical care and services.
  • Compliance with legislation, regulation, inspection and audit including Subject Access
    Requests under data protection legislation.
  • Operational Management, including visitors, general administration, procurement of goods
    and services, management of property and assets, rentals, CCTV, catering, campus security,
    health and safety, fire risk management and building maintenance.
  • Selection and employment of staff including volunteers, temporary staff, contract staff, and
    Council members including Disclosure and Barring Service (DBS) checks.
  • Ongoing management of staff, including vacations, absences, performance reviews, salaries,
    disciplinary records and statutory reporting.
  • Alumni management, networking and communication.
  • Fundraising activities, which may include wealth screening.
  • Management of clubs and societies.
  • Promotion of the College.
  • Financial management, including debtors, creditors, fees, invoices, accounts, fiscal
    management and bursary applications.
  • Commercial activities, including marketing, managing customers, events, insurance.

2. Types of Personal Data processed

The College processes personal data about:

  • Prospective, current and past pupils and their parents, guardians or fee payers.
  • Staff including full time staff, job applicants, volunteers, contract staff and Council
  • Customers and visitors, including adults and children attending Summer School courses,
    sports club members, events.
  • Donors, Friends of the College, Club memberships (Old Marlburian Club), society
    memberships (Marlborough College Concert Series, Friends of Marlborough Telescope)
  • Suppliers, contractors and service providers.

The personal data we process may be factual, opinion, images, video, or other recorded information
and may be held in a variety of forms, digital, paper, film etc.

Examples of the type of data we process are:

  • Titles and names.
  • Addresses, telephone numbers, email addresses and other contact details.
  • Password and Visa details.
  • Admissions related information, references, academic, co-curricular activities, interests and
  • Pastoral, health and special needs, attendance and disciplinary records.
  • Exam scripts, digital media submissions to exam boards, marks and reports.
  • Education and employment information including references and referees, performance
    reviews, disciplinary records.
  • Security photographs and access information or access logs, including CCTV footage.
  • Video or still photographs of sports matches, training & other events.
  • Visitor logs.
  • Financial information.
  • Training records, including courses, conferences, activities and meetings attended.
  • Personal vehicle details, including vehicle registrations, proof of licence entitlements, proof
    of insurance.
  • Correspondence between staff, pupils, parents, and other individuals.
  • Contracts.
  • Login credentials, email addresses and other system identifiers.
  • Digital access and other logs, including web logs, system audit logs, firewall logs & email

The legal basis for processing this data is typically fulfilment of contract or legitimate interest. In some exceptional cases the College relies on consent to process this data.

The College also processes sensitive personal data when necessary for legal requirements where it is
in the best interest of the data subject. Sensitive data may include:

  • Pastoral, physical or mental health.
  • Medical. (The NHS is the data controller here.)
  • Ethnicity and religion.

The legal basis for processing this data is typically legal requirement, fulfilment of contract or
legitimate interest.

In very specific cases we process ‘special category’ data, Enhanced DBS checks are required for all
staff and unsupervised contractors. Where convictions or adverse findings are present that data is
used as part of a risk assessment.

3. Collection of personal data

The collection points for this most of this personal data are paper or digital forms.
Some data is provided by third parties, such as references for pupils and staff, examination boards
or the disclosure and barring service for DBS checks.
Other personal data is collected during the course of normal operations of running the College.

Personal data collection has been reviewed and the College does not process personal data that is
not required for a specific purpose and in most cases provides specific privacy notice detail on
individual forms, especially those where consent is the legal basis.

4. Access to and sharing personal data.

Personal data processed by the College remains within the College and is processed by appropriate
members of staff for the purpose for which it was collected. Technical and procedural steps,
processes and procedures are in place to protect access to physical and digital personal data.
The College does not sell personal data. In some cases, we may be required to disclose personal
data, for example statuary reporting of health and safety incidents, safeguarding incidents where
external organisations are involved, and the emergency services and in other lawful and legitimate

The College may rely on external data processors for some systems and services and ensures that
compliant contracts are in place. Health and medical information collected during the admissions
process is passed to the NHS.

The College shares data where necessary for third parties, including:

  • Other schools to facilitate trips, events and sport events and matches.
  • Examination boards, Independent Schools Inspectorate (ISI), co-curricular organisations,
    drama, Combined Cadet Force (CCF) (MoD), DofE.
  • Commercial organisations such as hotels, travel companies etc.
  • Safeguarding hubs, emergency services.
  • Universities and Colleges relating to pupil applications.
  • UK Visas and Immigration.
  • In some cases, trips are made to countries outside the countries of adequacy as defined in
    data protection legislation for example China. Under such circumstances trip consent forms
    will make it clear that this is the case and the data subject will be required to consent to this
    as a condition of the trip.

Examination boards are data controllers in their own right. Specific rules apply to exam results,
requests for exam results and examination papers. Individual examination boards publish their own
privacy notices and relevant Subject Access Requests may be made directly to examination boards.

In some circumstances we may publish, in a restricted way, personal data or sensitive personal data,
allergy or other medical conditions for example, where having that information freely available to
relevant staff is clearly in the best interest of the data subject.

5. Retention periods for personal data

The College retains personal data for differing periods of time for different purposes as required by
statute or best practice. Individual departments incorporate retention times into the processes and
manuals. Other statutory obligations, legal processes & enquiries may also necessitate the retention
or extended retention of certain data.

In general, we keep personal data for no longer than is required for the purpose for which it was
collected, some exceptions are:

  • The Marlburian Club, as an alumni centred organisation will keep personal data relating to
    its members in accordance with its constitution.
  • The College Archive, some personal data of historic value, including photographs, school
    photographs, historical pupil lists and may be archived in perpetuity.

6. Rights in respect of personal data.

GDPR & The Data Protection Act 2018 expand the rights of data subjects over previous legislation,
specifically data subjects have:

  • Right of Access - the right to be informed of and request access to the personal data we
    process about you.
  • Right to Rectification - the right to request that we amend or update your personal data where
    it is inaccurate or incomplete.
  • Right to Erasure - the right to request that we delete your personal data.
  • Right to Restrict - the right to request that we temporarily or permanently stop processing all
    or some of your personal data.
  • Right to Object -

- the right, at any time, to object to us processing your personal data on grounds
relating to your particular situation.

- the right to object to your personal data being processed for direct marketing

  • Right to Data Portability - the right to request a copy of your personal data in electronic format
    and the right to transmit that personal data for use in another party’s service;
  • Right not to be subject to Automated Decision-making - the right to not be subject to a
    decision based solely on automated decision making, including profiling, where the decision
    would have a legal effect on you or produce a similarly significant effect.

This Privacy Notice is published as part of these rights. If you wish to exercise any of these rights,
with the exception of the right to access, please contact the College department processing that
information in the first case. Information on the right of access and how to exercise that are
specifically detailed in the Data Protection policy published on the College website.

Please note that not all rights are applicable to all processing of personal data, depending on the lawful
basis that personal data is being processed under.


Websites in use by the College, including:

and other internal websites, use “cookies” to facilitate website functionality, but not for tracking or
other marketing purposes. Some websites use analytics tools to analyse website use and trends.

Log files for all websites may be kept for up to 13 months for safeguarding or law enforcement


If you have any issues relating to data protection relating to the College, or you feel like the College
has not respected your rights or wishes in respect of data protection, please contact the Data
Controller or the Data Protection Officer in writing at the published main college address, or via email