Latest News

  • Tiffin Cricket Appeal

    Tiffin School and the Tiffinian Association are delighted to have received a grant to upgrade the cricket equipment at Grists and would like to match fund the grant.



  • Tom Barras (2012)

    Tom Barras clinches silver in the Tokyo Olympic Games!


    Donate to cricket equipment here





This privacy notice advises alumni, former parents and friends of Tiffin School of Tiffin Association Limited’s (the Association’s) data protection responsibilities in the collection and processing of their personal information. Both Tiffin School and the Association operate as data controllers and data processors of information provided to them.

This notice provides details about:

  • The personal information we collect
  • How we collect that personal information.
  • What we do with the personal information.
  • Your rights in relation to any personal information held and processed by the school.

Mrs A K Swift (Tiffin School Development and Alumni Manager) has responsibility for ensuring that personal information is held and processed in the correct way.

Questions about this policy, requests for further information, or to exercise any rights as set out below, should be directed to her at TAL@tiffin.kingston.sch.uk.

For any queries relating to Tiffin School’s Data Protection policies or processes please contact the School’s Data Protection Officer, Mr A Ingall, Deputy Headteacher, at dpo@tiffin.kingston.sch.uk

What is personal information and what does processing mean?

Personal information is any information that relates to you that can be used directly or indirectly to identify you. This includes, but is not limited to, information such as your name, date of birth, email and postal addresses..

Personal information and processing are defined by Regulation as follows:

  • Personal information means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR article 4).
  • Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric/genetic data (GDPR article 9).
  • Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR article 4).

Data protection principles

Tiffin School and the Association process personal data about alumni and other persons in accordance with the following data protection principles:

  • We process personal data lawfully, fairly and in a transparent way.
  • We collect personal data only for specified, explicit and legitimate purposes.
  • We process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
  • We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
  • We keep personal data in a form which permits identification from personal data for no longer than is necessary for the purpose of the processing or, if for longer periods, for such reasons as permitted by the GDPR.
  • We adopt appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, accidental loss, destruction or damage.

We will not process personal data of individuals for reasons other than those given as the stated purpose or purposes. We will update personal data promptly if an individual advises that his/her information has changed or is inaccurate.

The Association has adopted, follows and considers itself bound to the Data Protection policies and procedures used by Tiffin School in operation at any given time.

Our legal grounds for using personal data

There are several grounds on which the Association, as an alumni organisation, holds and processes personal data as well as authorising the School to do so on its behalf as its data processor and. Under data protection laws, the lawful reasons for processing personal data which the Association will rely include:

  • Consent.
  • To comply with a legal obligation.
  • For the mutual legitimate interest of the data subject and the Association

Sometimes the handling of personal data falls within more than one of the above lawful grounds.


If we ask for your consent to use your personal data, you can take back this consent at any time. Any use of your information before you withdraw your consent remains valid.  

Legal obligation

This is where we need to use personal data to comply with a legal obligation, such as licencing or registration

Legitimate Interest

The Association considers its role as an Alumni organisation to meet the requirements of a Legitimate Interest basis of data processing. Personal data processed and controlled under this basis is required to further the deep and meaningful relationship between the alumni of Tiffin School, their parents and other friend’s of Tiffin School. The activities undertaken by the Association would not be possible without the processing of the data. The type and kind of data collected and processed is of a level that does not adversely affect the individual’s interests, rights or other freedoms.

Why do we collect and process personal data?

We only use personal data to contact alumni, former parents and friends of the School with information about the School or the Association (e.g. via newsletters) and events that they may wish to attend.

How do we obtain personal data?

The information held by the Association comes primarily from the School, some of which is collected from the School’s Leavers Forms. It is also recorded when you contact the School’s Development Office or the Association directly.

With whom do we share personal data?

We do not share information with anyone without the consent of the data subject, unless the law and/or our adopted policies allow us to do so.

Data, where it is reasonable to do so, may be shared with other professionals contracted by the School, such as legal and professional advisers. In addition, a data security contract with a third-party IT services provider or as part of cloud-based storage may also process your personal data for the purpose of securely holding and protecting your data.  

  • We will only share your information with other people and organisations when we have a legitimate reason to do so.
  • On occasions external consultants/contractors may have temporary access to personal data held by the School which may include information held by the School for the Association. For example, IT consultants might be granted temporary access to’ personal data in order to fulfil their contract(s). Access will only be granted to consultants who have demonstrated compliance with the school’s data protection standards.
  • The School uses various IT systems. This includes using cloud-based storage systems to hold student data. Before use, the school ensures that adequate security measures are in place.
  • The Association may need to share some information with our insurance provider to ensure we maintain adequate cover or to process any claims.
  • The Association may use photographs or videos of you on the Association’s website, social media sites, newsletters and publications as part of the Development Office’s communications..

Automated decision-making and profiling

The Association does not make automatic decisions or undertake automated decisions regarding individuals to evaluate certain information about an individual (profiling).

How do we protect personal data?

The Association take the security of personal data very seriously. The Association utilises the School’s internal policies and controls to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our representatives of the Association in the performance of their duties.

Where the Association, or the School, may engage third parties to process personal data on its behalf, they are required to do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. For example, we ensure the School uses encrypted devices, uses passwords, virus protection and has appropriate firewalls.  

Sending information to other countries

Servers and storage systems used by the School on behalf of the Association are based in the EU or the European Economic Area (EEA) and the School has ensured that appropriate safeguards are in place to protect personal data stored there.

How long do we keep personal data?

Unless otherwise required by law or regulation, the Association will only keep personal data for as long as is necessary for its activities or records.

The Association will keep certain information (name, contact details, date of admission and date of leaving) as part of the School Archive, which is controlled and governed by the Schools records retention policy(ies).

What rights do you have in relation to your information?

You have the following rights in relation to your personal data. Some of these rights are new.

  • The right of access to the personal data and supplementary information. This right is to enable you to be aware of and verify the lawfulness of the personal data we are processing.
  • The right to rectification. This right allows you to have personal data rectified if it is inaccurate or incomplete.
  • The right to erasure. This is also known as the ‘right to be forgotten’. This is not an absolute right and applies in specific circumstances.
  • The right to restrict processing. This right applies in circumstances where, for example, the data subject contests the accuracy of the data or challenges the public interest or legitimate interest basis. Further guidance can be obtained from the ICO’s website.
  • The right to data portability. This allows individuals to obtain and reuse their personal data for their own purposes.
  • The right to object. Individuals have the right to object to:

·         Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority.

·         Direct marketing.

·         Processing for scientific/historical research and statistics.

  • Rights in relation to automated decision making and profiling.

Reviewed Sept 2020

Tiffinian Association ICO registration number: : Z3172269