Menu

SCIS Privacy Policy and Use of Cookies

This website is operated by the Scottish Council of Independent Schools (SCIS).

Introduction

SCIS aims to provide a safe, secure user experience for all visitors to its website and is committed to protecting their privacy. The purpose of this policy and the privacy notice below is to explain how personal data collected through this website is used and how we keep it secure. 

This website is not intended for children, and we do not knowingly collect data directly from children.  We do however process images of pupils of member schools by publishing them on our website, where such images are provided to us by member schools.  Please refer to the Privacy Notice for further information.

By submitting personal details to SCIS, visitors will be deemed as having understood and agreed to the use of them as described in this Privacy Policy and the privacy notice below. Should you have any questions, please do not hesitate to email SCIS at info@scis.org.uk

Collection and Retention of Information

SCIS uses your IP address in its web statistics software. This allows it to gather broad demographic information about visitors and to monitor the frequency with which visitors return to the SCIS website.

Use of Your Information by the Scottish Council of Independent Schools

SCIS uses the information it gathers from the website to respond to enquiries and improve the service offered. Where personal data is submitted, it may be used for promotional purposes and to gain feedback about the service offered.

We process images of attendees at our events and images provided by members schools by placing them on our website which may involve such images being accessed from outside the UK by members.  We do not otherwise transfer visitors’ or other data subjects’ personal data outside the UK.  We will update this privacy notice if that situation changes.

Disclosure of Information to Others

SCIS does not disclose to third parties any information about visitors to its website, such as their personal or demographic information, except as detailed below:

SCIS may disclose such information if legally required to do so, if requested to do so by a governmental entity or regulatory authority or if it believes in good faith that such action is necessary in its legitimate interests including to: (a) conform to legal requirements or comply with legal process; (b) protect the rights or property of SCIS; (c) prevent a crime or protect national security; or (d) protect the personal safety of users or the public.

Use of Cookies

We've provided information below, to let you understand how we use cookies at SCIS.

Cookies are tiny text files stored on your device. They come from the websites that you visit and are stored by your web browser. Almost every website uses cookies, and many sites would fail to work without them. The vast majority are innocuous - most do one of four very simple tasks:

  • Improving the use of a website according to your preferences
  • Helping to smooth your journey through an e-commerce process as you fill your basket
  • Tracking advertising campaigns
  • Providing the website owner with site usage data (which pages are most popular and the paths that website visitors take to find and navigate through the site)

At SCIS we use one session handling (functionality) cookie in the Schools' Members' Area to keep passwords alive while members are logged into the service. No personal information is stored with this cookie. We also use a Google Analytics (analytical) cookie to help us see which pages are working better for our website visitors - we can then use this information to make improvements to our website content and the site in general.

Cookies can be either first party or third-party cookies. First party refers to the website owner, so in our case SCIS is the website owner. Some sites (not ours) use advertising networks to display a series of adverts. These networks often place third party cookies on visitor devices. These simply track which adverts have been served to different visitors.

Many cookies are short lived things - at the end of your session the cookie is removed. Others may persist for a period of time, to allow website owners to, for example, identify frequently returning visitors.

Choices about cookies

You can choose which analytical and functionality cookies we can set by clicking on the button(s):

Strictly necessary cookies    ALWAYS ACTIVE

Analytical or performance cookies    OFF

Functionality cookies    OFF

You can also choose to "Reject All" cookies in the cookie banner.  However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.

If you have any questions or concerns about our use of cookies, please send us an email at info@scis.org.uk

Commitment to Data Security

SCIS takes appropriate precautions to keep visitors' personal information secure and has put in place appropriate physical, electronic, and managerial systems and procedures to safeguard the information collected.

In addition, we limit access to personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process personal data on our instructions, and they are subject to a duty of confidentiality.

SCIS PRIVACY NOTICE

WHO WE ARE

The Scottish Council of Independent Schools (SCIS) represents independent day, boarding and Additional Support Needs schools in Scotland. We are the controller in respect of personal data collected through this website and processed by us.

This privacy notice is intended to cover the activities of SCIS in how we deal with individual data subjects we deal with as contacts at our member schools. It sets out our rules on data protection and the legal conditions that must be satisfied in relation to the obtaining, handling, processing, storage, transportation and destruction of personal information.

The data held by SCIS is primarily that of the member school but, within that, there are a number of school employees for whom data is held in their capacity as contacts for member schools. This gives SCIS two clear strands to its privacy policy: the business-to-business relationship with schools and the data control of the contact data for those employed by the member schools. We also process images of pupils of member schools by publishing them on our website, where such images are provided to us by member schools.  We require member schools to confirm that they have the appropriate consents from parents and guardians (including consent to international data transfer by publication on our website) to share such images with us for these purposes, and such images are regularly reviewed and removed by us from our website as appropriate.

WHAT THIS PRIVACY NOTICE IS FOR

This policy is intended to provide information about how SCIS will collect, use, store, and transfer (or "process") personal data about individuals including current, past and prospective contacts within member schools; and within other organisations with whom it has commercial and other relationships.

This information is provided because Data Protection Law (which means all legislation and regulatory requirements in force from time to time relating to the use of personal data and the privacy of electronic communications, including, without limitation (i) any data protection legislation from time to time in force in the UK including the Data Protection Act 2018 or any successor legislation, as well as (ii) the UK General Data Protection Regulation ((EU) 2016/679) and any other applicable European Union regulation relating to data protection and privacy (for so long as and to the extent that the law of the European Union has legal effect in the UK) gives individuals rights to understand how their data is used. Any individual interacting with SCIS is required to read this Privacy Notice and understand SCIS’s obligations to its entire membership.

This Privacy Notice applies alongside any other information SCIS may provide about a particular use of personal data, for example when collecting data online or in paper form.

This Privacy Notice also applies in addition to SCIS’s other relevant terms and conditions and policies, including:

  • the SCIS policy on taking, storing and using images;
  • the SCIS retention of records policy, and
  • the SCIS health and safety policies, including as to how concerns or incidents are recorded.

RESPONSIBILITY FOR DATA PROTECTION

SCIS has appointed a Data Compliance Manager, who will deal with all requests and enquiries concerning how SCIS use your personal data (see section on Your Rights below) and endeavour to ensure that all personal data is processed in compliance with this policy and Data Protection Law.

Contact details for the Data Compliance Manager are info@scis.org.uk

WHY SCIS NEEDS TO PROCESS PERSONAL DATA

In order to carry out its ordinary duties to member schools, those individuals used as contacts within the schools, and anyone making an enquiry with SCIS, we need to process a range of personal data about individuals as part of its daily operation. Some of this activity SCIS will need to carry out in order to fulfil its legal rights, duties or obligations – including those under a contract with its member schools. Other uses of personal data will be to meet our legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impact on individuals.

SCIS expects that the following uses will fall within that category of its “legitimate interests”:

  • To provide member services, including professional development, training, advice and guidance, and monitoring schools' progress and needs;
  • Maintaining relationships with former members and the SCIS community, including direct marketing;
  • For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as tax, diversity or gender pay gap analysis);
  • To enable relevant authorities to monitor SCIS’s performance and to intervene or assist with incidents as appropriate;
  • To monitor (as appropriate) use of the SCIS IT and communications systems in accordance with our relevant IT policies and procedures;
  • To make use of photographic images, on the SCIS website, by sharing with external media, and (where appropriate) on the SCIS social media channels where necessary for promotional or marketing reasons.  Where pupil images shared by member schools are processed, we also require member schools to confirm that they have the appropriate consents from parents and guardians (including consent to international data transfer by publication on our website) to share such images with us for these purposes, and such images are regularly reviewed and removed by us from our website as appropriate;
  • To carry out or cooperate with any internal or external complaints, disciplinary or investigation process; and
  • Where otherwise reasonably necessary for our purposes, including to obtain appropriate professional advice and insurance for SCIS and to comply with security requirements for SCIS events.

We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.

We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter.

TYPES OF PERSONAL DATA PROCESSED BY SCIS

This will include by way of example:

  • Identity data, including names and titles
  • Contact data, including addresses, telephone numbers, e-mail addresses and other contact details;
  • Financial data, including bank details and other financial information;
  • Technical data, including IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website;
  • Usage Data including information about how you interact with and use our website, products and services;
  • Marketing and Communications Data including preferences in receiving marketing from us and our third parties and your communication preferences; and 
  • Images of individuals engaging in SCIS activities and events and of pupils of member schools where shared by member schools.

We may also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' usage data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our website to help improve the website and our service offering.

We may collect and process the following special categories of personal data when you voluntarily provide them for the following legitimate business purposes, for the performance of a contract, or as applicable law otherwise permits:

  • Details of health information or disability status, including dietary requirements and allergy information, to comply with health and safety obligations and to make appropriate access accommodations in respect of events or otherwise.

We will seek your prior express consent to the processing of such special category data.

HOW SCIS COLLECTS DATA

Generally, SCIS receives personal data from the individual directly and their interactions with us. This may be via a form, or simply in the ordinary course of interaction or communication. However, in some cases personal data will be supplied by third parties (for example another school, or other professionals or authorities working with that individual); or collected from publicly available resources.

As you interact with our website, we will automatically collect Technical Data about individuals’ equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies and by collecting data from analytics providers. Please see our cookie policy and the summary above for further details. 

WHO HAS ACCESS TO PERSONAL DATA AND WHO SCIS SHARES IT WITH

Occasionally, SCIS will need to share personal information relating to its community with third parties where permitted or required by applicable law, such as:

  • professional advisers (e.g. lawyers, insurers, PR advisers and accountants);
  • venue providers, presenters and attendees at SCIS events (limited to names and school only);
  • government authorities (e.g. HMRC, police or the local authority); and
  • appropriate regulatory bodies e.g. Education Scotland, Care Inspectorate, OSCR or the Information Commissioner.

For the most part, personal data collected by SCIS will remain within SCIS and will be processed by appropriate individuals only in accordance with access protocols (i.e. on a ‘need to know’ basis).

Finally, in accordance with Data Protection Law, some of SCIS’s processing activity is carried out on its behalf by third parties, such as IT systems providers, web developers, organisations such as Mailchimp (for subscription to our newsletter) or cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely, not used for the third party’s own purposes and will only be processed in accordance with SCIS’s specific directions. We require all such third parties to respect the security of personal data and to treat it in accordance with the law.

HOW LONG WE KEEP PERSONAL DATA

SCIS will retain personal data securely and only for as long as it is reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain personal data for a longer period in the event of a complaint or for a legitimate and lawful reason.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances we will anonymise personal data (so that it can no longer be associated with an individual) for research or statistical purposes, in which case we may use this information indefinitely without further notice.

If you have any specific queries about how our retention policy is applied or wish to request that personal data that you no longer believe to be relevant is considered for erasure, please contact The Data Compliance Manager. However, please bear in mind that SCIS will often have lawful and necessary reasons to retain some personal data even following such a request.

A limited and reasonable amount of information will be kept for archiving purposes, for example; and even where you have requested we no longer keep in touch with you, we will need to keep a record of the fact to fulfil your wishes (called a "suppression record").

YOUR RIGHTS

Individuals have various rights under Data Protection Law to access and understand personal data about them held by SCIS, and in some cases ask for it to be erased or amended or have it transferred to others, or for SCIS to stop processing it – but subject to certain exemptions and limitations.

Data subjects have the right to:

  • Request access to their personal data (commonly known as a "subject access request"). This enables them to receive a copy of the personal data we hold about them and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about them. This enables them to have any incomplete or inaccurate data we hold about them corrected, though we may need to verify the accuracy of the new data they provide to us.
  • Request erasure of their personal data in certain circumstances. This enables data subjects to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with the request of erasure for specific legal reasons which will be notified, if applicable, at the time of the request.
  • Object to processing of their personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of data. In some cases, we may demonstrate that we have compelling legitimate grounds to process information which override the right to object.
  • Object any time to the processing of their personal data for direct marketing purposes [LINK to details of how to object to receiving direct marketing communications].
  • Withdraw consent at any time where we are relying on consent to process personal data. If consent is withdrawn, we may not be able to provide certain services. We will advise if this is the case at the time consent is withdrawn.
  • Request the transfer of their personal data to another party under some circumstances.
  • Request restriction of processing of personal data. This enables data subjects to ask us to suspend the processing of their personal data in certain scenarios.

Any individual wishing to access or amend their personal data or wishing it to be transferred to another person or organisation, or who has some other objection to how their personal data is used, should put their request in writing to the Data Compliance Manager.

SCIS will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits. We may need to request specific information to help us confirm identity and ensure right to access the personal data (or to exercise any other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

SCIS will be better able to respond quickly to smaller, targeted requests for information. If the request for information is manifestly excessive or similar to previous requests, SCIS may ask you to reconsider, or require a proportionate fee (but only where Data Protection Law allows it).

Requests that cannot be fulfilled

You should be aware that the right of access is limited to your own personal data, and certain data is exempt from the right of access. This will include information which identifies other individuals or information which is subject to legal privilege (for example legal advice given to or sought by SCIS, or documents prepared in connection with a legal action).

You may have heard of the "right to be forgotten". However, we will sometimes have compelling reasons to refuse specific requests to amend, delete or stop processing your personal data: for example, a legal requirement, or where it falls within a legitimate interest identified in this Privacy Notice. All such requests will be considered on their own merits.

Consent

Where SCIS is relying on consent as a means to process personal data, any person may withdraw this consent at any time. Examples where we do rely on consent include certain types of uses of images. Where we post images of pupils of members schools on our website, we require member schools to confirm that they have the appropriate consents as stated above. 

Please be aware however that SCIS may not be relying on consent but may have another lawful reason to process the personal data in question.

That reason will usually have been asserted under this Privacy Notice or may otherwise exist under some form of contract or agreement with you or the member school or other third party you are employed by.

Whose rights?

The rights under Data Protection Law belong to the individual to whom the data relates.

DATA ACCURACY AND SECURITY

SCIS will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Individuals must notify your SCIS contact of any significant changes to important information, such as contact details, held about them.

An individual has the right to request that any out-of-date, irrelevant or inaccurate or information about them is erased or corrected (subject to certain exemptions and limitations under Data Protection Law); please see above for details of why SCIS may need to process your data, and who you may contact if you disagree.

SCIS will take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around use of technology and devices, and access to SCIS systems. All staff and SCIS members will be made aware of this policy and their duties under Data Protection Law and staff will receive appropriate training.

We have put in place procedures to deal with any suspected personal data breach and will notify data subjects and any applicable regulator of a breach where we are legally required to do so.

THIRD PARTY LINKS

This website may include links to third-party websites, plug-ins and applications, such as the ‘Find a School’ function. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

THIS POLICY

SCIS will update this Privacy Notice from time to time and you should check the SCIS website from time to time to ensure that you are aware of any changes. This policy is effective 01/01/2026. Any substantial changes that affect your rights will be provided to you directly as far as is reasonably practicable.

QUERIES AND COMPLAINTS

Any comments or queries on this policy should be directed to the Data Compliance Manager using the following contact details:  info@scis.org.uk

If an individual believes that SCIS has not complied with this policy or acted otherwise than in accordance with Data Protection Law, they should utilise SCIS complaints/grievance procedure and should also notify the Data Compliance Manager. You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO http://www.ico.org.uk/), although the ICO recommends that steps are taken to resolve the matter with SCIS before involving the regulator and we encourage you to contact us before you approach the ICO so we can endeavour to address your concerns.