Data Protection and Privacy Policy


BSA Group (BSAG) comprises BAISIS (British Association of Independent Schools with International Students), BSA (Boarding Schools’ Association), HIEDA (Health in Education Association), SACPA (Safeguarding and Child Protection Association) and TIOB (The Institute of Boarding). Also found within the group are SBF (State Boarding Forum) and BSA Legal Services Ltd, a subsidiary of BSA Group Services Ltd.

BSA Group’s mission is to support excellence in boarding, safeguarding, inclusion and health education. BSA Group delivers services for more than 1,500 organisations and individuals in 40 countries worldwide.

We take our responsibilities as a data controller seriously and are committed to using the personal data we hold in accordance with the law.

This privacy notice provides detailed information about how we process personal data. Please read it carefully and, if you have questions regarding your personal data or its use, please contact the BSA Group via



We process personal data about current and past: employees, contractors, board and executive committee members, member and non-member organisations, schools, school staff, BSA Group staff, training providers/contractors, information about students provided to us by the school and other individuals connected to a member organisation or school.

The personal data we process takes different forms – it may be factual information, expressions of opinion, images or other recorded information which identifies or relates to a living individual. Examples include:

  • Names, addresses, telephone numbers, e-mail addresses and other contact details
  • Images, audio and video recordings
  • Financial information (bank details)
  • Courses, meetings or events attended

As an employer, we need to process criminal records information about individuals (particularly staff and contractors). We do so in accordance with applicable law (including with respect to safeguarding or employment) or by explicit consent.



The BSA Group (BSAG) complies with all statutory requirements of the Data Protection Act 2018 by registering all personal data held on its computer and/or related electronic equipment and by taking all reasonable steps to ensure the accuracy and confidentiality of such information.

The Data Protection Act protects individuals’ rights concerning information about them. Anyone processing personal data must comply with the eight principles of good practice.

Data must be:

  • fairly and lawfully processed
  • processed for limited purposes
  • adequate, relevant and not excessive
  • accurate
  • not kept longer than necessary
  • processed in accordance with the data subject’s rights
  • secure
  • not transferred to countries without adequate protection.

Individuals can request in writing access to the information held on them by BSAG and there is no charge for this service.

We collect most of the personal data we process directly from members. We also collect data from third parties (working references, professionals or authorities) or from publicly available resources.

Personal data held by us is processed by appropriate members of staff for the purposes for which the data was provided. We take appropriate technical and organisational steps to ensure the security of personal data about individuals, including secure use of technology and devices, and access to our online systems. We do not transfer personal data outside of the European Economic Area unless we are satisfied that the personal data will be afforded an equivalent level of protection.

Some of our systems are provided by third parties, such as Microsoft Office suite and cloud storage, the BSA Group websites, BSA Group’s newsletters and independent cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with our specific directions.

We do not share or sell personal data to other organisations.



We process personal data to support the BSAG’s function of promoting and supporting key stakeholders and includes:

  • Names, emails and numbers of key contacts for organisations and schools for membership changes, updates and payments
  • Names, emails and numbers of attendees of events and training (both current and previous) to provide information on similar training or events
  • School-supplied press releases containing names for the purposes of promoting the school through the BSAG online networks
  • Names and contact details of perspective members for the purpose of promoting membership
  • Email addresses of key contacts of members for BSAG newsletters/mailings (opt out option for this is always available)
  • Name/title and school address for purpose of posting BSA Boarding School magazine and BSA promotional content
  • Staff, board and executive committee administration (including recruitment and contractors), for payroll, pensions, sick leave, annual leave, review and appraisals of performance, grievance conduct, capability or disciplinary procedures, providing references
  • Use of images supplied by schools for the promotion of BSAG on our websites, social media, print content and presentations
  • Contact details for associations that work in conjunction with the BSA Group across all of our sectors.
  • Details of individuals who have booked on to BSA Group training programmes in order to confirm training arrangement, share resources, and keep a record of their attendance
  • Details of individuals in the boarding sector who have applied for the Accredited Boarding Practitioner (ABP) scheme to keep them updated with the boarding sector through ABP-specific mailings and promotions
  • Details of safeguarding professionals/advisors for the Sacpa newsletter. Details are provided by individuals who request access to this service, and they are able to opt out at any time by replying to the asking to be removed, or by emailing:
  • Sharing of social media posts from member schools through BSA social networks (retweeting, sharing)

The processing set out above is carried out to fulfil our legal obligations (including staff employment contracts).



The BSAG maintains contact with past school Heads/boarding school staff members who have requested to be kept on the BSA Group mailing lists and have provided their personal details to the BSAG to this effect. This is so that the BSAG can continue to invite these previous school members to events, keep them updated with the boarding sector and provide them with useful and relevant information. The BSAG asks that individuals requesting continued contact provide us with their data preferences to ensure that all communications are requested for and relevant. Individuals can opt out of these mailings at any time by emailing or by clicking on the ‘unsubscribe’ link at the bottom of email contact.



We retain personal data only for legitimate and lawful reasons and only for so long as necessary / required by law. Staff records are retained for seven years for purposes of providing references if requested.

Details of school staff are updated yearly. Staff who have left the school are removed from our contact lists unless they request to continue to receive BSAG contact.

Press releases will remain on all BSAG websites (News Archive, accessible via search function) and social media pages for a period of ten years in order to help support schools in the promotion of their brand. Press releases can be removed at any time by emailing



You have various rights under Data Protection Law to access and understand the personal data we hold about you, and in some cases to ask for it to be erased or amended or for us to stop processing it, but subject to certain exemptions and limitations.

You always have the right to withdraw consent, or otherwise object to receiving generic communications. Please be aware however that the BSAG may have another lawful reason to process the personal data in question even without your consent. This usually relates to staff records (time worked with the BSAG, HR purposes and for reference requests).

If you would like to access or amend your personal data, would like it to be transferred to another person or organisation, or have some other objection to how your personal data is used, please make your request in writing to the CEO, DCEO/COO or Legal Director.

We will respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month in the case of requests for access to information. We will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, we may ask you to reconsider or charge a proportionate fee, but only where Data Protection Law allows it.

You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal privilege. We are also not required to disclose any confidential reference given by the BSA for the purposes of the education, training or employment of any individual.



We only hold pupil data when it has been provided to the BSAG for the purposes of the promotion of a member school (though the BSA and TIOB websites, social media pages and marketing content such as the Boarding School magazine).



Any data relating to safeguarding is provided to us by our member organisations and schools. The data is provided with all details of individuals involved already removed (even if these details are already available in the public domain).

If an organisation, or school provides information that has not been anonymised, the CEO, DCEO/COO or Senior Director will remove all relevant data upon receipt of content. All safeguarding information is kept securely within the BSAG system, with severely limited access.

Safeguarding data will not be shared with any external agency, other than to comply with a legal obligation and where there is a lawful basis for it to be shared.



We try to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Please notify of changes to information, such as contact details.



Our privacy notice should be read in conjunction with our other policies and terms and conditions which refer to personal data, including our Commitment to Care Charter.

We will update this Privacy Notice when required. Any substantial changes that affect how we process your personal data will be notified on our website and to you directly, as far as practicable.

If you believe that we have not complied with this policy or have acted otherwise than in accordance with Data Protection Law, you should notify the CEO, DCEO/COO or Legal Director. You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with us before involving them.


Last updated: January 2023

Next update: January 2024