Privacy Policy

This Privacy Notice applies to all personal data and information processing activities performed by Marlborough College Malaysia – registered M East Sdn Bhd and subsidiary organisations, societies and clubs. For the purpose of this notice all of these organisations will be termed “the College”.Marlborough College Malaysia reserves the right to modify this Privacy Notice at any time. Please review it occasionally. If the College makes changes to this Privacy Notice, the updated Privacy Notice will be published in a timely manner and if it makes material changes, it will provide a prominent notice or communicate any changes to draw attention to such changes.

PRIVACY NOTICE This Privacy Notice applies to all personal data and information processing activities performed by Marlborough College Malaysia – registered M East Sdn Bhd and subsidiary organisations, societies and clubs. For the purpose of this notice all of these org anisations will be termed “the College”. Marlborough College Malaysia reserves the right to modify this Privacy Notice at any time. Please review it occasionally. If the College makes changes to this Privacy Notice, the updated Privacy Notice will be pub lished in a timely manner and if it makes material changes, it will provide a prominent notice or communicate any changes to draw attention to such changes. Introduction The College is a data user for the purposes of data protection. The College proc esses data in accordance with the Malaysian Personal Data Protection Act 2010 and this notice is designed to give you information about how and why we process personal data as well as what types of personal data is involved. The College has appointed the IT Operations Manager as Data Protection Officer (DPO) who will endeavour to ensure that all personal data is processed in compliance with current data protection legislation, published policies and contracts. 1. Why do we process personal data? The C ollege processes relevant personal data regarding members of staff, applicants for vacancies, volunteers, visitors, pupils, parents, guardians, alumni, families, customers and suppliers as part of its day to day operations, objectives, statutory obligation s and interests as follows: • The selection and admission of pupils, including awarding and reporting relating to scholarships and bursaries. • The provision of education and related service to pupils and parents, including pupil records, results and reports, trips, co – curricular activities, sports, matches, exams, school curriculum, timetable, pupil and teacher exchanges, the Almanac, university applications and guidance, uniform order, security pass application, transport arrangement and visa applica tion. • The safeguarding of pupils, provision of pastoral and medical care and services. • Compliance with legislation, statutory reporting, regulation, inspection and audit including Subject Access Requests under data protection legislation. • Operational Management, including visitors, general administration, procurement of goods and services, management of property and assets, rentals, CCTV, catering, campus security, health and safety, fire risk management and building maintenance. • Selection and employment of staff including volunteers, temporary staff, contract staff, and Council members including Disclosure and Barring Service (DBS) check s and criminal background checks • Ongoing management of staff, including vacations, absences, performance reviews, salaries, benefits, taxation, payroll, disciplinary records and statutory reporting. • Alumni management, networking and communication. • Fundra ising activities, which may include wealth screening. • Management of clubs and societies. • Promotion of the College. • Financial management, including debtors, creditors, fees, invoices, accounts, fiscal management, bursary applications and income tax return and assessment. • Commercial activities, including marketing, managing customers, events, insurance. • Locate and recover lost devices • Data backup 2. What personal data are we processing? The College processes personal data about: • Prospective, current and past pupils and their parents, guardians or fee payers. • Staff including full time staff, job applicants, volunteers, contract staff and Council members. • Customers and visitors, including adults and children attending Summer School courses, sports club members, events. • Donors, Friends of MCM, Club memberships (Old Marlburian Club), society memberships • Suppliers, contractors and service providers. The personal data we process may be factual, opinion, images, video, or other recorded information and may be held in a variety of forms, digital, paper, film etc. Examples of the type of data we process ar e: • Titles and names. • Addresses, telephone numbers, email addresses and other contact details. • Passport and Visa details. • Admissions related information, references, academic, co – curricular activities, interests and achievements. • Pastoral, health and spec ial needs, attendance and disciplinary records. • Exam scripts, digital media submissions to exam boards, marks and reports. • Education and employment information including references and referees, performance reviews, disciplinary records. • Security photograp hs and access information or access logs, including CCTV footage. • Video or still photographs of sports matches, training & other events. • Visitor logs. • Financial information. • Training records, including courses, conferences, activities and meetings attended . • Personal vehicle details, including vehicle registrations, proof of licence entitlements, proof of insurance. • Correspondence between staff, pupils, parents, and other individuals. • Contracts. • Login credentials, email addresses and other system identifiers . • Digital access, backup and other logs, including web logs, system audit logs, firewall logs, device location logs & email archival. The legal basis for processing this data is typically fulfilment of contract or legitimate interest. In some exceptional cases the College relies on consent to process this data. The College also processes sensitive personal data when necessary for legal requirements where it is in the best interest of the data subject. Sensitive personal data means: • any person al data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any othe r personal data as the Minister may determine by order published in the Gazette. The legal basis for processing this data is typically legal requirement, fulfilment of contract or legitimate interest. 3. Where do we collect your personal data? The collection points for this most of this personal data are paper or digital forms. Some data is provided by third parties, such as references for pupils and staff, examination boards or the disclosure and barring service for DBS checks or criminal backgroun d checks. Other personal data is collected during the course of normal operations of running the College. Personal data collection has been reviewed and the College does not process personal data that is not required for a specific purpose and in most c ases provides specific privacy notice detail on individual forms, especially those where consent is the legal basis. 4. With whom do we share your personal data? Personal data processed by the College remains within the College and is processed by appr opriate members of staff for the purpose for which it was collected. Technical and procedural steps, processes and procedures are in place to protect access to physical and digital personal data. The College does not sell personal data. In some cases, we may be required to disclose personal data, for example statutory reporting of health and safety incidents, safeguarding incidents where external organisations are involved, and the emergency services and in other lawful and legitimate cases. The College may rely on external data processors for some systems and services , including some online service providers and ensures that compliant contracts are in place. Health and medical information collected during the admissions process is passed to th e Health C entre . The College shares data where necessary for third parties, some of which are located outside Malaysia, including: • Other schools and organizations or persons to facilitate trips, events and sport events and matches. • Examination boards, COBIS, accrediting organisations and inspectorates, and co – curricular organisations • Government department and agencies such as Ministry of Education, Immigration etc. • Commercial organisations such as banks, hotels, travel companies etc. • Safeguarding hubs, emergency services, insurance and medical service providers. • Pupils’ sponsors including his/her parents/guardians. • Online services used in the classroom and communication with p arent such as G Suite for Education, Microsoft Office 365, iSAMS, Firefly VLE, Parent Evening System etc • In some cases, trips are made to countries outside the countries of adequacy as defined in data protection legislation, for example China. Under such c ircumstances trip consent forms will make it clear that this is the case and the data subject will be required to consent to this as a condition of the trip. Examination boards are data users in their own right. Specific rules apply to exam results, requ ests for exam results and examination papers. Individual examination boards publish their own privacy notices and relevant Subject Access Requests may be made directly to examination boards. In some circumstances we may publish, in a restricted way, perso nal data or sensitive personal data, allergy or other medical conditions for example, where having that information freely available to relevant staff is clearly in the best interest of the data subject and necessary for operational reasons . 5. How long do we store your personal data? The College retains personal data for differing periods of time for different purposes as required by statute or best practice. Individual departments incorporate retention times into the processes and manuals. Other s tatutory obligations, legal processes and enquiries may also necessitate the retention or extended retention of certain data. In general, we keep personal data for no longer than is required for the purpose for which it was collected, some exceptions are: • The Marlburian Club, as an alumni centred organisation will keep personal data relating to its members in accordance with its constitution. • The College Archive, some personal data of historic value, including photographs, school photographs, historical pupil lists and may be archived in perpetuity. 6. What are you rights? Data subjects have: • Right to be informed – the right to be told wh ether your personal data is processed by or on behalf of the college • Right of Access – the right to be informed of and request access to the personal data we process about you. • Right to Rectification – the right to request that we amend or update your pe rsonal data where it is inaccurate or incomplete. • Right to Withdraw Consent – the right to request that we stop processing all or some of your personal data. • Right to Object – • the right to object to your personal data being processed for direct marketi ng purposes. • the right to prevent processing likely to cause damage or distress . This Privacy Notice is published as part of these rights. If you wish to exercise any of these rights, with the exception of the right to access, please contact the College department processing that information in the first case. Please note that not all rights are applicable to all processing of personal data, depending on the lawful basis that personal data is being processed under. Websites Websites in use by the College, including: calendar.marlboroughcollege.my mcmbookings.marlboroughcollege.my parents.marlboroughcollege.my vle.marlboroughcollege.my sports.marlboroughcollege.my www.marlboroughcollege.my www.marlboroughcollegemalaysia.org www.mcmtournaments.com and other internal websites, use “cookies” to facilitate website functionality, but not for tracking or other marketing purposes. Some websites use analytics tools to analyse website use and trends . Log files for all websites may be kept for up to 13 months for safeguarding or law enforcement purposes. Contacts If you have any issues relating to data protection relating to the College, or you feel like the College has not respected your rights or wishes in respect of data protection, please contact the Data User or the Data Protection Officer in writing at the published main college address, or via email at DPO@marlboroughcollege.my Conflicts In the event of any conflict between this English language Privacy Notice and its corresponding Bahasa Malaysia Privacy Notice, the terms in this English language Notice shall prevail. Updates Marlborough College reserves the right to modify this Privacy Notice at any time. Please review it occasionally. If the College makes changes to this Privacy Policy, the updated Privacy Policy will be published at our website in a timely manner and if it makes material changes, it will provide a prominent not ice or communicate any changes to draw attention to such changes.