COGNITA SCHOOLS LIMITED GENERAL PRIVACY NOTICE

1 INTRODUCTION

1.1 We are committed to protecting and respecting your privacy. Cognita is a group of independent schools. In this privacy notice, references to "we", "us", "our", or "Cognita" is a reference to Cognita Schools Limited and our schools.

1.2 This privacy notice deals with any personal data we process which is not covered in our staff, parent and pupil privacy notices. It sets out the basis on which any personal data we collect from you is handled by us in the course of our relationship with you. For example, this notice applies to you if you are a visitor, potential recruit, next of kin, supplier, or potential supplier, alumni, or prospective pupil or parent of a prospective pupil.

1.3 For current and prospective parents and pupils, please also see our parent and pupil privacy notices. These are also available on our website.

1.4 Please read the following carefully to understand our views and practices regarding your personal data and how we treat it.

1.5 We comply with all applicable data protection laws and regulations ("Data Protection Legislation"), which may include the General Data Protection Regulation 2016/679 and the Data Protection Act 2018. The Data Protection Legislation continues to change in the UK, following the UK's exit from the European Union and we continue to update our practices in light of these changes. For the purposes of the Data Protection Legislation, we are the data controller and our School Support Centre is at 3^rd Floor, 41-42 Eastcastle Street, W1W 8DY. Our ICO registration number is Z9688459.

1.6 If you are reading this privacy notice online, we recommend that you print and retain a copy for future reference.

1.7 Our Data Protection Policy (outlining how personal data is managed) and this privacy notice are closely linked and should be read in conjunction with the other.

2 INFORMATION WE COLLECT ABOUT YOU

Information you give us

2.1 You may give us personal data about you, in a number of ways; these include but are not limited to:

2.1.1 using, visiting or interacting with our website (such as filling out forms or registering on our website);

2.1.2 visiting our offices or schools;

2.1.3 during an interview or meeting;

2.1.4 corresponding with us by phone, e-mail or post; and

2.1.5 sending information directly to us, or providing information as requested by us and/or which is necessary from time to time (for example providing your job application form, CV or business card).

2.2 The information you give us may include (but is not limited to) the following::

A. Personal Data

2.2.1 full name;

2.2.2 photograph;

2.2.3 marital status;

2.2.4 National Insurance number;

2.2.5 salary;

2.2.6 employment history;

2.2.7 contact details (including home address, e-mail address, and mobile, home and/or work phone number);

2.2.8 financial information (for example payee details);

2.2.9 previous educational records and achievements; and

2.2.10 references (as an applicant or potential supplier).

B. Sensitive Personal Data

2.2.11 Passport details, nationality and other information relating to immigration status to ensure your eligibility to work in the local region and/or to send your child(ren) to a school in the local region;

2.2.12 Information about criminal offences and/or convictions;

2.2.13 Information about your physical or mental health, or disability status, to ensure your health and safety at our sites and to assess your fitness to work and to provide appropriate adjustments; and

2.2.14 Information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting. Technical information we collect about you when you visit our website.

2.3 With regard to each of your visits to our website we may automatically collect the following information:

2.3.1 technical information, including the Internet Protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and

2.3.2 information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our website (including date and time); pages you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our number.

2.4 Our website may contain links to and from the websites of our partner networks, advertisers, suppliers and affiliates.  If you follow a link to any of these websites, please note that these websites are not covered by this notice and may have their own privacy notices. We do not accept any responsibility or liability for these notices.  Please check these third-party notices before you submit any personal data to these websites.

Information we receive from other sources

2.5 We may be working closely with third parties (including, for example, recruitment agents, previous employers, medical practitioners, education authorities, local and public authorities, suppliers, payment and delivery services) and may receive information about you from them.

2.6 We may also use CCTV footage to ensure our sites are safe. The footage may capture images of data subjects which will not be disclosed other than to fulfil any legal obligations. We may receive information about you if you use any of the other websites our Group operate or the other services our Group provides.

3 USES MADE OF THE INFORMATION

Information you give to us

3.1 We will use the information you give to us to pursue the following legitimate interests (as applicable to our relationship with you):

3.1.1 promote the objects and interest of our schools, ensure the most efficient management of the schools and ensure that the schools' legal obligations are adhered to;

3.1.2 to store this information on our management information system/s;

3.1.3 to enforce our terms of use with you or any other contract we may have with you;

3.1.4 for the purposes of recruitment;

3.1.5 to enable us to provide/receive services to/from you;

3.1.6 to comply with government and regulatory guidance, and/or legislation; and

3.1.7 where you have attended one of our schools, to keep you up to date with key school news and upcoming events.

3.2 In order to pursue the legitimate interests referred to in paragraphs 3.1.1 and 3.1.7, we rely on software applications and other technology to process personal data about you. These include the school's management information system and our HR and finance systems. We also rely on third parties that deliver physical services such as caterers, photographers, and transport providers. The third parties we use to deliver these applications are carefully chosen and vetted by us to ensure that, among other things, your information is kept secure. Our key systems include Capita (SIMS)iSAMS, Evolve, NetSuite, Cornerstone, Salesforce, Confirmit and Lightspeed, Seesaw, Tapestry, Google, Google Classroom, Microsoft, Meta Platforms, Inc, YouTube, Elfsight and Adswizz. For further information on the kind of technology we use, please contact our Data Protection Officer (see paragraph 9).

3.3 When entering into any contract arising between us and yourselves, we may use your personal data to fulfil any contractual obligations and deliver any services agreed upon.

3.4 In addition, we may be required by law to do the following (which is not an exhaustive list):

3.4.1 keep an accounting record of payment;

3.4.2 provide personal data to public authorities; and

3.4.3 keep a record to evidence fair recruitment processes.

3.5 Inevitably, there will be an overlap between what we do that is necessary to (a) perform our contract with you, (b) carry out our legal obligations and (c) pursue a legitimate interest although we have tried our best to distinguish these as set out above. If you have any questions about these please contact our Data Protection Officer (see paragraph 9).

Information we collect about you from our website

3.6 We will use this information for the following legitimate interests:

3.6.1 to contact you if you have made an enquiry to one of our schools via our online enquiry form or applied for a job;

3.6.2 to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;

3.6.3 to improve our website to ensure that content is presented in the most effective manner, and your online experience is as effective and appropriate as possible, for you and for your computer;

3.6.4 as part of our efforts to keep our website safe and secure.

Information we receive from other sources

3.7 We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for one of the purposes set out above (depending on the types of information we receive). For example, we may receive a reference from a previous employer relating to you, which may impact a recruitment decision.

When we disclose information

3.8 In order to pursue one of the legitimate interests set out above, we may share your personal information with:

3.8.1 Cognita's School Support Centre in the UK. This includes authorised staff/personnel who may require your information to carry out their role;

3.8.2 a member of the Cognita group of companies, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006;

3.8.3 local authorities, education authorities (for example, Ofsted), the Department for Education, SEN co-ordinators, social services or the police where we have reason to believe there are safeguarding concerns in respect of a child; and

3.8.4 business partners, professional advisors, suppliers and sub-contractors for the performance of any contract we enter into with them or you.

3.9 We may disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce our contract (between us and you) and other agreements.

Where we need to get your consent

3.10 We will not market services to you (other than in accordance with paragraph 3.1.7 above) without your consent and you have the right to ask us not to use your contact details for marketing. To unsubscribe, please visit the school website to which you have engaged with and follow the steps via the unsubscribe link at the bottom of the home page.

3.11 Limited and anonymised customer data may be shared with Google for the purposes of excluding Cognita's customers from being targeted with adverts about Cognita schools. This data is hashed (using the industry standard SHA256 algorithm) to ensure user privacy is respected throughout every stage of the data sharing

4 TRANSMISSION OF PERSONAL INFORMATION OUTSIDE THE UK OR THE EEA

4.1 The data that we process about you may be transferred to, and stored at, a destination outside the UK, or the European Economic Area ("EEA"). We try to limit this where possible, but it may be necessary where, for example, one of our suppliers has a data centre outside the UK, or the EEA. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy notice and that the appropriate legal safeguards are in place prior to the transfer, for example ensuring that any contracts between us and the recipient of the information have standard data protection clauses, and/or the country we are transferring the data to is deemed by the UK Government as an adequate country where they have appropriate legal and technical safeguards to protect your data in line with the UK GDPR..

5 YOUR RIGHTS

5.1 Under Data Protection Legislation, you have the following rights:

5.1.1 Right to correction. You have the right to have inaccurate personal data about you rectified.

5.1.2 Right not to be Subject to Automated Decision Making or Profiling. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the individual or similarly significantly affects the individual

5.1.3 The right to erasure. You have the right to request that we delete your personal data where: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or processed; (b) you withdraw your consent to processing for which we previously obtained your consent; (c) you object to the processing and, as a result, we agree to cease that processing (please see paragraph 5.1.5 for more details); (d) the personal data has been unlawfully processed; and (e) we are required to erase the personal data in order to comply with the law

5.1.4 Right to restriction. You have the right to obtain from us the restriction of processing where: (a) you contest the accuracy of the personal data we hold about you; (b) the personal data has been unlawfully processed; (c) we no longer need the personal data but they are required in limited circumstances; and (d) you object to the processing and, as a result, we agree to cease that processing (please see paragraph 5.1.5 for more details).

5.1.5 Right to request transfer. In certain circumstances, you have the right to receive personal data from us in a structured, commonly used and machine-readable format and the right to transmit it to a third party organisation.

5.1.6 Right to object. You have the right to raise an objection to any of our processing in paragraphs 3.1 and 3.2. Please tell us if you object to any type of processing that we do and we will work with you to address any concerns you may have.

5.1.7 Right to object to marketing. If you do not want us to process your personal data for direct marketing, please tell us and we will ensure that we no longer do this.

5.1.8 Right to complain to the ICO. Whilst we would always prefer it if you approached us first about any complaints or queries you may have, you always have the right to lodge a complaint with the Information Commissioner's Office.

5.1.9 Right to request access. You have the right to access personal data we hold about you. Please contact our Data Protection Officer if you wish to do so at DPO@cognita.com.

6 HOW LONG WE KEEP PERSONAL INFORMATION

6.1 We will not keep any personal data about you for any longer than is necessary for the purposes for which the personal data are processed.

6.2 We follow a personal data retention policy which determines how long we keep specific types of personal information for. For further information about the criteria we use to determine what periods we keep specific information, please contact our Data Protection Officer (see paragraph 9).

7 USE OF OUR WEBSITE

7.1 Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

8 COOKIES

8.1 Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our Cookie Notice which is made available on our website.

9 CONTACT US

9.1 Questions, comments and requests regarding this privacy notice should be addressed to our Data Protection Officer at DPO@Cognita.com or 3^rd Floor, 41-42 Eastcastle Street, London, W1W 8DY.

10 CHANGES TO OUR PRIVACY NOTICE

10.1 Any changes we make to this privacy notice in the future will be posted on our website and, where possible and appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy notice.

Dated October 2024

COGNITA PRIVACY NOTICE FOR EMPLOYEES, PROSPECTIVE EMPLOYEES, WORKERS, CONTRACTORS AND INTERNS

1 INTRODUCTION

1.1 Cognita Limited, Cognita Schools Limited, The Bushcraft Company Limited, Super Camps Limited, ALG Cognita Limited and Ardmore Language Schools Limited (together “we”, “us”, “our” or “Cognita”) are committed to protecting the privacy and security of your personal information.

1.2 We comply with all applicable UK data protection laws and regulations (“Data Protection Legislation”).

1.3 For the purposes of the Data Protection Legislation, we are the controllers and our School Support Centre is located at Cognita Schools Ltd, 2nd Floor, 41-42 Eastcastle Street, London, W1W 8DY. We are registered with the Information Commissioner’s Office (“ICO”) as follows:

1.3.1 Cognita Schools Limited – registration number Z9688459;

1.3.2 Cognita Limited – registration number Z919310X;

1.3.3 The Bushcraft Company Limited – registration number ZA237436;

1.3.4 Super Camps Limited – registration number Z7584774;

1.3.5 ALG Cognita Limited – registration number ZA237436; and

1.3.6 Ardmore Language Schools Ltd – registration number ZA458838;

The relevant controller is the one you have the relationship with.

1.4 We also have a Data Protection Policy and Data Retention Policy which we ask you to read carefully. The difference between those policies and this notice is that the policies set out your responsibilities within Cognita to follow good data protection standards and behaviour whereas this notice informs you about how we collect and use personal information about you during and after your working relationship with us, in accordance with the Data Protection Legislation.

1.5 Our Data Protection Policy (outlining how personal data is managed) and this privacy notice (providing detailed information on how this data is collected, used, and protected) are closely linked and should be read in conjunction with the other.

1.6 This notice applies to current and former employees, workers and contractors of Cognita. This notice does not form part of any contract of employment or other contract to provide services.

2 THE KIND OF INFORMATION WE HOLD ABOUT YOU

Personal data

2.1 We will collect, store, and use the following categories of personal information about you:

2.1.1 Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;

2.1.2 Date of birth;

2.1.3 Gender;

2.1.4 Marital status and dependants;

2.1.5 Next of kin and emergency contact information;

2.1.5.1 If you provide us with information regarding another individual such as a spouse or family member, you represent that you have any required consent or authorisation to provide us with the information and to permit us to use it in accordance with this notice.

2.1.6 National insurance number; bank account details, payroll records and tax status information;

2.1.7 Salary, annual leave, pension and benefits information;

2.1.8 Start date;

2.1.9 Location of employment or workplace;

2.1.10 Copy of driving licence and/or passport;

2.1.11 Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process);

2.1.12 Employment records (including job titles, qualifications, work history, working hours, training records and professional memberships);

2.1.13 Compensation history;

2.1.14 Performance information;

2.1.15 Disciplinary and grievance information;

2.1.16 CCTV footage and other information obtained through electronic means such as swipecard records; and

2.1.17 You image captured via class photos, events or daily activities with students

2.1.18 Information about your use of our information and communications systems; and photographs.

Special Category personal data

2.2 We may also collect, store, and use, the following special categories of personal information:

2.2.1 information about your nationality, race or ethnicity, religious beliefs;

2.2.2 information about your health, including any medical condition, health and sickness records; and

2.2.3 information about criminal convictions and offences as is required for safer recruitment and DBS checks.

3 HOW IS YOUR PERSONAL INFORMATION COLLECTED?

3.1 We collect personal information about employees, workers and contactors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers or other background check agencies.

3.2 We will collect additional personal information in the course of job-related activities throughout the period of you working for us.

3.3 We also use CCTV footage at our sites to ensure your workplace is safe. The footage may capture images of data subjects which will not be disclosed other than to fulfil any legal obligations. We may use CCTV to assist in investigations to ensure that staff are acting in accordance with Cognita’s policies and the law generally. Additionally, in limited circumstances, for crime and fraud detection and prevention, we may also collect personal data via the use of surveillance where we have reasonable grounds for suspecting that a crime may have occurred.

4 HOW WILL WE USE INFORMATION ABOUT YOU?

Lawful bases of processing

4.1 We will only use your personal information when the law allows us to. Most commonly, we will use your personal information where:

4.1.1 we need to perform the contract we have entered into with you;

4.1.2 we need to comply with a legal obligation;

4.1.3 it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and

4.1.4 it is necessary for the purposes of carrying out our obligations in the field of employment law.

4.2 We may also use your personal information in the following situations, which are likely to be rare:

4.2.1 where we need to protect your interests (or someone else's interests) (for example, we may need to use your details without telling you to deal with a medical emergency); or

4.2.2 where it is needed in the public interest or for official purposes.

Situations in which we will use your personal information

4.3 We need all the categories of information in the list above (see paragraph 2) primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are listed below.

4.3.1 making a decision about your recruitment or appointment;

4.3.2 determining the terms on which you work for us;

4.3.3 checking you are legally entitled to work in the UK;

4.3.4 conducting checks through the appropriate government department / professional body to ensure that you are able to fulfil your role e.g. to teach in accordance with the terms of the employment contract and that you hold either Qualified Teacher Status or Qualified Teacher Learning and Skills Status or to be an accountant, or lawyer;

4.3.5 conducting prohibition from teaching (e.g. TRA investigations) or management checks and/or any other checks or measures that we are required to undertake as a result of any child protection legislation (e.g. LADO referrals) from time to time in force;

4.3.6 paying you and, if you are an employee, deducting tax and National Insurance contributions;

4.3.7 providing you with the benefits as set out in the employment contract or elsewhere;

4.3.8 liaising with your pension provider and health insurance provider;

4.3.9 administering the contract we have entered into with you;

4.3.10 business management and planning, including accounting and auditing;

4.3.11 conducting performance reviews, managing performance and determining performance requirements;

4.3.12 making decisions about salary reviews and compensation;

4.3.13 assessing qualifications for a particular job or task, including decisions about promotions;

4.3.14 gathering evidence for possible grievance or disciplinary hearings;

4.3.15 making decisions about your continued employment or engagement;

4.3.16 making arrangements for the termination of our working relationship;

4.3.17 education, training and development requirements;

4.3.18 dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work;

4.3.19 ascertaining your fitness to work;

4.3.20 managing sickness absence;

4.3.21 complying with health and safety obligations;

4.3.22 to prevent fraud;

4.3.23 to monitor your use of our information and communication systems to ensure compliance with our IT policies. See Monitoring and Security below;

4.3.24 to feature photographs internally on school displays, on our website or in a prospectus;

4.3.25 to send out surveys to you by email as part of our Voice of the Employee campaign which is our employee survey tool;

4.3.26 to send you invites to wellbeing initiatives and to include you in wellbeing activities;

4.3.27 to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution;

4.3.28 equal opportunities monitoring;

4.3.29 as part of our efforts to keep our sites safe (for example through the use of CCTV); and

4.3.30 all other applications of Cognita’s policies and other terms and conditions of employment.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

Monitoring and Security

4.4 We may monitor use of electronic communications websites by you, at a network level, for the purpose of ensuring that our systems are being used in accordance with Cognita’s IT and acceptable use policies, and for compliance with applicable laws and the prevention and detection of crime. Please bear in mind that you may be called upon to justify the websites you have visited. Internet access can be withdrawn from you at any time. You should be aware that such monitoring might reveal special categories of personal data about you. For example, if you regularly visit websites of a particular political party or religious group, then those visits might indicate political opinions or religious beliefs.

How we use special category personal data

4.5 We may process special categories of personal data (i.e. the personal data identified in paragraph 2.2) in the following circumstances:

4.5.1 in limited circumstances, with your explicit written consent;

4.5.2 where we need to carry out our legal obligations and in line with our Data Protection Policy and/or Data Retention Policy;

4.5.3 where it is needed in the public interest, such as for equal opportunities monitoring, or in relation to our occupational pension scheme, and in line with our Data Protection Policy and/or Data Retention Policy; or

4.5.4 where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.

4.6 Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.

4.7 We will use your special category personal data in the following ways:

4.7.1 in relation to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws;

4.7.2 about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits; and

4.7.3 about your race or national or ethnic origin, to ensure meaningful equal opportunity monitoring and reporting.

Do we need your consent?

4.8 We may ask for your specific consent to use your personal data in a way which is not covered by this privacy notice, for example, if we wish to use your photograph on a billboard.

4.9 We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain special category data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

Information about criminal convictions

4.10 We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our Data Protection Policy and Data Retention Policy. In particular, we require information about criminal convictions as part of our safer recruitment programme. Given that the vast majority of our employees will be working with children at some point, it is important that we are more vigorous in carrying out our criminal checks than organisations in other sectors. Our primary focus is on the welfare of our pupils and our staff.

4.11 Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else's interests) and you are not capable of giving your consent, or where you have already made the information public.

4.12 We will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us or when you tell us a part of the recruitment process. We will use information about criminal convictions and offences in the following ways:

4.12.1 as part of our safer recruitment programme and as part of our deciding whether you are suitable for the role; and

4.12.2 where it is necessary to take the information into consideration when:

4.12.2.1 a complaint is made against you; or

4.12.2.2 taking disciplinary action against you.

4.13 We are allowed to use your personal information in this way to carry out our legal obligations in connection with employment and social protection law.

4.14 For further information about the kind of information about criminal records we keep, please see our Data Retention Policy.

5 CHANGE OF PURPOSE

5.1 We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

5.2 Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

6 IF YOU FAIL TO PROVIDE PERSONAL INFORMATION

6.1 If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).

7 DATA SHARING

Why might you share my personal information with third parties?

7.1 We will share your personal information with third parties where required or permitted by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

Which third-party service providers process my personal information?

7.2 “Third parties” includes third-party service providers (including software providers) and other entities within our group. The following activities are carried out by third-party service providers: pension administration, benefits provision and administration and IT services. In particular, we use Cornerstone OnDemand Limited to provide the “Cornerstone” HR solution, Graffiti Group Limited to process payslips, NetSuite to process invoices and Confirmit AS to provide our Voice of the Employee survey platform. We also use Microsoft Compliance to archive emails and Microsoft SharePoint and Teams for document management.

How secure is my information with third-party service providers and other entities in our group?

7.3 All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

When might you share my personal information with other entities in the group?

7.4 We will share your personal information with other entities in the Cognita group of companies as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data. This may involve transferring your personal data outside of the UK. All members of the Cognita group are part of an agreement which uses specific standard contractual terms approved for use in the UK to give the transferred personal data the same protection as it has in the UK. For further information regarding these contractual safeguards, please contact us using the details below.

What about other third parties?

7.5 We may share your personal information with other third parties, for example in the context of the possible sale, transfer, merger, or restructuring of the business or parts of the business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

7.6 We may also need to share your personal information with a regulator or to otherwise comply with the law.

7.7 We may disclose or share your personal data to third parties if we are under a duty to do so in order to comply with any legal obligation such as search warrants, subpoenas, or court orders. This includes where we share your personal data in relation to CCTV footage to official authorities (such as the police) where required to do so to comply with the law.

Transferring information outside the UK

7.8 The information that we process about you may be transferred to, and stored at, a destination outside the UK. We try to limit this, where possible, but it may be necessary where, for example, one of our suppliers has a data centre outside of the UK. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy notice and that the appropriate legal safeguards are in place prior to the transfer, for example ensuring that any contracts between us and the recipient of the information have standard data protection clauses or the country we are transferring the data to is deemed by the UK Government as an adequate country.

8 DATA SECURITY

8.1 We have put in place measures to protect the security of your information. Details of these measures are available upon request. Please also refer to our IT policies.

8.2 Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

8.3 We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

8.4 We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

9 DATA RETENTION

How long will you use my information for?

9.1 We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of your personal information are available in our Data Retention Policy. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

9.2 In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain or securely destroy your personal information in accordance with our Data Retention Policy.

10 RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION

Your duty to inform us of changes

10.1 It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Your rights in connection with personal information

10.2 Under certain circumstances, by law you have the right to:

10.2.1 Request access to your personal information (commonly known as a “Subject Access Request” or “SAR”). This enables you to receive a copy of the personal information we hold about you and to check that is correct, and that we are lawfully processing it.

10.2.2 Right not to be Subject to Automated Decision Making or Profiling. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the individual or similarly significantly affects the individual

10.2.3 Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

10.2.4 Request erasure of your personal information. You have the right to request that we delete your personal data where: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or processed; (b) you withdraw your consent to processing for which we previously obtained your consent; (c) you object to the processing and, as a result, we agree to cease that processing (please see paragraph 10.2.5 for more details); (d) the personal data has been unlawfully processed; and (e) we are required to erase the personal data in order to comply with the law.

10.2.5 Object to processing of your personal information where we are relying on a legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

10.2.6 Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

10.2.7 Request the transfer of your personal information. In certain circumstances, you have the right to receive personal data from us in a structured, commonly used and machine-readable format and the right to transmit it to a third party organisation.

10.2.8 Right to complain to the ICO. Whilst we would always prefer it if you approached us first about any complaints or queries you may have, you always have the right to lodge a complaint with the Information Commissioner’s Office.

10.3 If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer in writing (see paragraph 11).

What we may need from you

10.4 We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right to withdraw consent

10.5 In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

11 DATA PROTECTION OFFICER

11.1 We have appointed a Data Protection Officer (“DPO”) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO via DPO@cognita.com. You have the right to make a complaint at any time to the ICO, the UK supervisory authority for data protection issues.

12 CHANGES TO THIS PRIVACY NOTICE

12.1 Any changes we make to this privacy notice in the future will be posted on the school websites and made available internally. Please check back frequently to see any updates or changes to our privacy notice. Your continued use of our services after such updates will constitute an acknowledgement of the change and agreement to abide and be bound by the updated notice.

Dated February 2026

COGNITA COOKIE POLICY

1 WHAT IS A COOKIE?
1.1 A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer, if you agree. Cookies contain information that is transferred to your computer's hard drive. To find out more about cookies, visit www.aboutcookies.org.

2 ABOUT OUR USE OF COOKIES
2.1 Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and allows us to improve our site. By continuing to browse the site, you are agreeing to our use of cookies.
2.2 When you visit our website, we may automatically collect the following information:
2.2.1 technical information, including the Internet Protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and
2.2.2 information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our website (including date and time); pages you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our number.

3 COOKIES WE USE AND WHY
3.1 Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website or make use of e-billing services.
3.2 Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
3.3 Google Advertising cookies.Google Analytics' Display Advertiser features are enabled for the Google Analytics property this website is tagged with. This means that Google Analytics will drop additional cookies on your browser and collect data using Google's advertising cookies and identifiers, in addition to data collected through a standard Google Analytics implementation. For more information about Google's Advertising Cookies and how you can control advertising cookies visit Google Advertising Privacy FAQ and Google's advertising cookies.
3.4 Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences.
3.5 Marketing cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising around the web more relevant to you. We may also share this information with third parties for this purpose.
3.6 You can find more information about the individual cookies we use and the purposes for which we use them in the table below:

4 WE HAVE NO CONTROL OVER THIRD PARTY COOKIES
4.1 Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.
4.2 Our website may also contain links to and from the websites of our partner networks, advertisers, suppliers and affiliates. If you follow a link to any of these websites, please note that these websites have their own cookie notices and privacy notices and that we do not accept any responsibility or liability for these notices. Please check these notices before you submit any personal data to these websites.

5 HOW DO I CHANGE MY COOKIE SETTINGS?
5.1 Generally, browsers allow some control of most cookies through the browser settings. To find information relating to the browser you are using, please visit the browser developer's website, below are links to some of the most common browsers:

• Google Chrome
• Microsoft Edge
• Mozilla Firefox
• Microsoft Internet Explorer
• Apple Safari

6 WHAT HAPPENS IF YOU BLOCK COOKIES?
6.1 You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including strictly necessary cookies) you may not be able to access all or parts of our site and your user experience may be seriously downgraded whilst browsing the site.

7 EXPIRY OF COOKIES
7.1 When we send a cookie, we instruct your browser to keep that cookie for a certain period of time, for example, we may instruct your browser to keep the cookie for the period you are on the website; this is known as a “session cookie”. You can override the cookie expiration periods set by us, or any other website, by changing your cookie settings. If you do not change your settings, then, all cookies set by us will expire after 6 months. Default expiration settings will vary for third-party cookies; you can find out more about these by following the links in section 3.5.

8 CONTACT US
8.1 If you have any questions regarding this Cookie Notice please contact servicedesk@cognita.co.uk.

---

These notices were last updated on February 2026.