Read about how we process personal data and find out about your privacy rights.
This notice outlines BIMM Institute’s processing activities relating to personal data and covers the following:
- The basis for processing your personal data
- Personal data we collect about you and how we use it
- Retention of personal data
- Disclosure and transfer of personal data
- Your rights including access to information and correction
- Links to third-party websites
- Changes to our privacy notice
BIMM Limited and BIMM Group Limited are companies incorporated and registered in England and Wales under company numbers 06347465 and 07172561, and whose registered office is situated at 38-42 Brunswick St West Hove, East Sussex, BN3 1EL and trades as BIMM Institute.
As the data controller, BIMM Institute is responsible for your personal data (we will be referred to as “BIMM”, “we”, “us” or “our” in this Privacy Notice).
BIMM Limited is registered as a Data Controller with the Information Commissioner’s Office (ICO). Our registration reference is ZA362716.
BIMM’s main establishment is based in the United Kingdom and therefore the ICO is our lead supervisory authority. BIMM also has colleges in Germany (Berlin and Hamburg) and the Republic of Ireland (Dublin).
If you have any queries concerning your personal data and how it is processed, contact BIMM’s Data Protection Officer at firstname.lastname@example.org.
The basis for processing your personal data
We will collect and process personal data about you for the purposes described below.
We process your personal information to enable us to:
- provide education and support services to our students and staff
- for advertising and promoting BIMM and the services we offer
- undertake research
- to manage our accounts and records
- report on business insight
- to work with third parties and commercial clients.
Our Estates and Facilities departments at college level also process personal information via the use of CCTV systems to monitor and collect visual images for the prevention and detection of crime, for disciplinary proceedings against staff and students and for monitoring security of our buildings.
Personal data may include ‘special categories of data’ (sometimes referred to as ‘sensitive data’). Categories of personal data are defined by the General Data Protection Regulation 2018, which classifies special categories of data include information such as your racial or ethnic origin, religious or other beliefs and physical or mental health.
When we process personal data, there must be a lawful basis for doing so. When we process special category personal data, we need to meet additional conditions too. Further information about this can be found on the ICO’s website.
The most common basis for processing your personal data at BIMM is because it is necessary for our or an internal third party’s legitimate interests. The purpose of BIMM is to advance learning and knowledge by teaching and research, and to provide students with the best opportunity to achieve a sustainable career in the music and broader creative arts industries. Examples of processing on this basis include monitoring and evaluating the performance and effectiveness of BIMM and improving the academic, corporate, financial and human resource management of BIMM.
In addition to this lawful basis, we may also process your personal data because it is necessary for the performance of a contract or in order to take steps at your request to prior to entering a contract with us. For example, this may include interacting with individuals before they are enrolled as a student, as part of the admissions process, or dealing with concerns that a prospective employee may have.
We may also need to process your personal data to comply with our legal obligations. This can include compliance and regulatory obligations, such as immigration obligations and safeguarding requirements, or to assist with police investigations or other authorities.
We may also process your personal data where it is necessary to protect you or another person’s vital interests, for example in a life-or-death situation where urgent medical help is required.
We may also process your personal data where we have your explicit and specific consent to do so.
Personal data we collect about you and how we use it
Personal data is collected in several different ways depending on your interaction with BIMM. The purposes for processing your personal data are outlined below.
Website visitors and enquiries
We collect personal data directly from website visitors or users through the use of online forms as well as when you submit an online enquiry, request a prospectus or book an Open Day visit to one of our colleges.
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the Privacy Notice of every website you visit.
Applicants, students and alumni
We collect personal data via student applications through the UCAS and CAO systems as well as our own application systems. If you enrol as a student at BIMM, a student record will be created for you.
BIMM needs to process certain information about its students, parents and guardians and other individuals with whom it has relationships for various purposes such as:
Accounts and records
- the administration of student accounts and payments
- the collection of student fees
- to maintain a core student record
- to enable us to fulfil statutory reporting obligations, such as
- verification of the right to study
- administration required for provision of education and training (such as registration and timetabling)
- calculation and publication of exam results
- provision of references
- provision of education and training such as the planning and control of curricula and exam and producing educational materials
- administration relating to the application process, e.g. receipt and processing of UCAS and CAO forms, compilation of statistics, assessments including preliminary and confirmed offers, liaison with UCAS, CAO and agents
- to contact individuals who have provided disability details at the point of application or registration to signpost to our Student Services to register for arrangement of reasonable adjustments
- to carry out student discipline and academic misconduct processes
- to administer the academic appeals process
- video capture of lectures, seminars and other learning environments.
- administration of grants and loans, e.g. student loans and access loans
- ticket issue/reservation services and the running of BIMM events
- administration and provision of a BIMM student card
- administration and provision of welfare and support services such as counselling*
- careers guidance
- activities undertaken as part of our commitment to widening participation and access
- administration and provision of computing and IT facilities
*It is often likely that special category data needs to be processed for these purposes; a separate consent form which includes privacy information will be provided to you in these circumstances.
- the promotion of the relationship between the Institute and its alumni
- BIMM-related fundraising initiatives involving alumni
- advertising and promotion of alumni events
- distribution of mailings, e.g. alumni magazines, newsletters, annual reports, and message forwarding
- the promotion of benefits and services available to alumni from third parties*
- careers advice to students and help with student recruitment*
- advertising, marketing and public relations for others.
Your information may be used to send you details of products or services that we offer that we have identified as likely to be of interest to you, but you will only be contacted according to the preferences you submit when providing your personal data. If you would like to change these preferences (e.g. opt-out of receiving some communications or change channels used for contact) at any point, you can:
- use the link on the bottom of the last email you received from us
- email email@example.com
Employment applicants and staff
We collect personal data via the employment application and recruitment process, and when you enter into a contract as an employee of BIMM. The way this data is used is outlined below:
BIMM may use internet searches to perform due diligence on candidates in the course of recruitment. Where BIMM does this, it will act in accordance with its data protection and equal opportunities obligations.
- selection processes, including short-listing candidates and interviews
- equality and diversity monitoring
- processing expenses related to interview processes
- pre-employment health screening.
- payroll administration and HMRC compliance
- administration of employee pension schemes
- provision of occupational health services, including for pension purposes
- management of absence records
- verification of eligibility/right to work
- administration of flexible working arrangements
- providing access to secured buildings
- ensuring compliance with the BIMM’s Equality and Diversity Policy
- reviewing performance and facilitating promotion and reward
- to carry out staff grievance and disciplinary processes
- to conduct staff training activities
- processing expenses and administrating corporate spending accounts
- to enable us to fulfil statutory reporting obligations.
Basic personal details can be maintained via PeopleHR, and/or by contacting your local People representative.
Throughout the course of the research carried out under the remit of BIMM’s Research and Enterprise Strategy, personal data will be processed where necessary.
Where research involves human participants (data subjects), the research will be subject to an ethical review process. Research participants will also be provided with an information sheet relating to the specific piece of research they are participating in, as well as the necessary consent form(s) to ensure transparency and clarity regarding data collection, use, and retention. BIMM Institute has created consent forms in a standard approved format that is aligned with sector practice.
General notice regarding photography and video
BIMM’s Marketing and Communications teams routinely captures images and videos in colleges and events for promotional use on BIMM’s website, social media channels, and/or print materials, some of which may include individuals. In cases where individuals are clearly identifiable, consent will be obtained accordingly.
BIMM also records video footage of some events, such as our graduation ceremonies, for the purpose of making these available via its website to those who are unable to attend. Notices will be posted at events and information made available for those who prefer not appear in any footage.
Retention of personal data
BIMM will only keep your personal data for as long as is necessary for the purpose for which it is processed.
Disclosure and transfer of personal data
We will only disclose your personal data to a third party when we are required to by law, where we have your specific consent, or where appropriate arrangements are in place with regard to data sharing – for instance:
- companies or suppliers with whom we engage to process data on our behalf – if so, we will ensure adequate arrangements are in place to protect your personal data, such as a Data Sharing Agreement and third-party security review
- third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, or is proposed to happen, then the new owners may use your personal data in the same way as set out in this Privacy Notice.
- professional and regulatory bodies in relation to confirmation of qualifications, professional conduct, and the accreditation of courses
- legal representatives
- internal and external auditors.
Personal data will be shared between these parties where there is a lawful basis to do so (see table below).
Government departments and agencies
Validating or delivering degree programmes as part of a dual controller relationship or franchise agreement
Government departments and agencies
Validating or delivering degree programmes as part of a dual controller relationship or franchise agreement
|Germany (Berlin and Hamburg)||Validating or delivering degree programmes as part of a dual controller relationship or franchise agreement||
From time to time, BIMM will transfer limited personal data outside the European Economic Area. After the United Kingdom has officially left the European Union in January 2021, BIMM will adhere to the requirements of data protection legislation subject to the status of UK data protection legislation and EU legal requirements.
Where personal data is transferred outside of the EEA, BIMM will ensure that standard contractual clauses are in place where there is no adequacy decision in place to cover the transfer and that adequate technical and organisational controls are in place. The Institute ensures that appropriate agreements with regard to data sharing are in place with contracted service providers and international institutions outside the EU.
How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- where we need it to perform our educational services (performance of a contract);
- it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Our legitimate interests are in providing our educational services to you and in promoting or furthering our educational services; or
- where we need to comply with a legal or regulatory obligation.
Your rights including access to information and correction
You have a number of rights under the General Data Protection Regulation, including the right:
- to rectify any inaccuracies in personal data that we hold about you. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
- to be forgotten (data erasure) in some circumstances, that is your personally identifiable information to be removed from systems that we use to process your personal data
- to restrict the processing of your personal data in certain ways
- to obtain a copy of your personal data
- to withdraw consent where that is the sole legal basis of our processing
- to object to certain processing of your personal data by us
Further information about your rights can be found on the ICO’s website. You may also contact the Data Protection Officer for further information.
You also have the right to ask to see what personal data we hold about you, known as a subject access request. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances. The timeline for responding to subject access requests is 1 month. Please contact firstname.lastname@example.org for further information.
You have a right to lodge a complaint with a supervisory authority at any time about the way in which we process your personal data.
We would, however, appreciate the chance to deal with your concerns in the first instance.
We take security very seriously. All staff are made aware of the security procedures they must follow when handling personal information. Data is protected from unauthorised access and we are confident no-one will be able to access your personal information unlawfully.
We have put in place appropriate technical, organisational and security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed.
We have also put in place procedures to mitigate personal data breaches and to deal with any suspected personal data breach in a timely and effective manner.
BIMM is under a statutory duty to have regard to the need to prevent people being drawn into terrorism. If the use of BIMM computer equipment, information and systems gives rise to a concern that a person may be at risk, this may result in action being taken in accordance with the Prevent Duty Policy (PDF).
Links to third-party websites
While we will take all reasonable precautions to make sure that other organisations who we deal with have good security practices, we are not responsible for the privacy practices of those organisations whose websites may be linked to our service.
Changes to this Privacy Notice
We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes or if we change our business in a way that affects personal data protection.
The latest version of our Privacy Notice will always be available on our website.
This privacy notice was last updated on 3rd December 2020.
If you would like more details about how we use and store your personal data, please contact us.