Under General Data Protection Regulations (GDPR) we are obliged to inform you of the information we hold on you and your child(ren) enrolled at the school, what we use the information for, who we share it with, and for how long we keep it. This privacy notice aims to provide you with this information.
Stiftelsen Kongsberg International School is the data controller for the purposes of data protection law. The School Business Manager has the day-to-day responsibility for data protection. The Business Manager reports to the Head of School who in turn reports to the Kongsberg International School Board, which has the overarching responsibility for all matters concerning the school.
Information we Collect
The categories of student & parent information that we collect, hold, use and share include, but are not limited to:
• Personal information (such as name, address, Norwegian personal identification number)
• Contact details (contact telephone numbers, email addresses, addresses)
• Legal guardianship
• Characteristics (such as language, nationality, gender)
• Attendance information (such as sessions attended, number of absences and absence reasons)
• Assessment information (such as IB assessment, national tests, and benchmarking, both internal and external)
• Relevant medical information (such as health concerns and allergies)
• Special educational needs information (such as observations and support plans)
• Safeguarding information
• Information relating to exclusion from school
• Behavioural information
• Photographs (for internal displays, school newsletters and yearbooks, media and promotional purposes. NB: we do not share or publish photographs without consent).
• Payment details
Why we collect and use this information
We use the student and parent data:
• to support student learning
• to monitor and report on student progress
• to provide appropriate pastoral and medical care
• for safeguarding and student welfare purposes
• to administer admissions, including waiting lists, according to our admissions policy
• for research purposes
• to inform you about events and other things happening in the school
• to assess the quality of our services
• for invoicing
• to set up school transport
• to comply with the law regarding data retention and data sharing
Our lawful basis for collecting and processing personal information is defined under Article 6, and the following sub-paragraphs in the GDPR apply:
a) Data subject gives consent for one or more specific purposes.
b) Processing is necessary to comply with the legal obligations of the controller.
c) Processing is necessary to protect the vital interests of the data subject.
d) Processing is necessary for tasks in the public interest or exercise of authority vested in the controller (the provision of education).
e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Our lawful basis for collecting and processing personal information is also further defined under Article 9, in that some of the information we process is deemed to be sensitive, or a special category of information and the following sub-paragraphs in the GDPR apply:
a) The data subject has given explicit consent.
b) It is necessary to fulfil the obligations of controller or of data subject.
c) It is necessary to protect the vital interests of the data subject.
d) Processing is carried out by a foundation or not-for-profit organisation
g) It is in the public interest
i) Reasons of public interest in the area of public health
Some of the reasons listed above for collecting and using personal data overlap, and there may be several grounds which justify our use of this data.
Whilst the majority of student information you provide to us is mandatory, some of it is provided to us on a voluntary basis. Where we have obtained consent to collect or use personal data, this consent can be withdrawn at any time.
Storing and Deleting Personal Data
We hold personal data whilst the student remains at Kongsberg International School. However, there is a legal obligation to retain a significant amount of information (such as reports, grades, decisions affecting a student’s statutory rights (enkeltvedtak) and individual educational plans) beyond that period and this will be retained in line with our internal routines. Further information can be found by contacting the Business Manager. The school aims to delete information as soon as it is no longer required for the purpose for which it was collected and there is no legal reason to store it.
We do not share information about our students with anyone without consent unless the law and our policies allow us to do so. However, we routinely share personal information with appropriate third parties, including:
• Kongsberg Kommune (local authority) and the home local authorities of our students – to meet our legal obligations to share certain information with them
• The Department for Education and the Directorate for Education and Training
• The student’s family and representatives
• The International Baccalaureate (IB)
• The County Governor (Fylkesmannen)
• Suppliers and service providers – to enable them to provide the service we have contracted them for (see below)
• Our auditors
• Survey and research organisations
• Health authorities
• Security organisations
• Health and social welfare organisations
• Emergency services, courts, tribunals
• Public transport company
• Schools that the students attend after leaving us (see consent form)
Where we transfer personal data to a country or territory outside the European Economic Area, we will do so in accordance with data protection law.
Where the school uses suppliers or service providers for mandatory services (when consent is not sought), the school will enter into a data processing agreement with the service provider when the supplier has access to personal data, such as in the cases below:
· The school’s website, which includes forms for admissions and applications for leave (no access to personal data)
· The school’s password-protected learning management system (data processing agreement)
· The school’s administrative system (no access to personal data)
· The school’s IT systems, both cloud-based and on-site (data processing agreements)
· Educational applications used in teaching (either no personal data is required, or a data processing agreement is entered into)
· The school’s online library system (data processing agreement)
Further information is not given here for reasons of system security.
Your Data Protection Rights
Under data protection legislation, parents and students have the right to request access to information about them that we hold. Parents/guardians can make a request with respect to their child’s data where the child is not considered mature enough to understand their rights over their own data (usually under the age of 12), or where the child has provided consent. Parents also have the right to make a subject access request with respect to any personal data the school holds about them.
You also have the right to:
• Object to processing of personal data that is likely to cause, or is causing, damage or distress
• In certain circumstances, have data erased or destroyed
• In certain circumstances, have inaccurate personal data rectified
• Claim compensation for damages caused by a breach of the Data Protection regulations
The school reserves the right to make amendments to this privacy notice. The current privacy notice will be the one that is available on the school’s website (www.kischool.org).
We take any complaints about our collection and use of personal information seriously. If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance. To make a complaint, please contact the Business Manager.
Alternatively, you can make a complaint to the Norwegian Data Protection Authority (https://www.datatilsynet.no/en/).
If you have any questions, concerns or would like more information about anything mentioned in this privacy notice, please contact the Business Manager. You can contact the Business Manager via the school office.