Introduction & what this policy covers
Ashridge is committed to protecting you, your colleagues and your family’s privacy in every interaction we have with you including when you use our online services.
This Policy relates to our use of any personal information we collect about you, whether from you or your employer, as an employee, supplier, participant, student, client or visitor, through our webpages, any apps we offer, service and learning portals, as part of a psychometric tool, through social media, by phone, by email or other correspondence, by SMS or in person.
We want you to know what information we collect about you, how we use that information including when we might use it to contact you, whether anyone else has access to it and your rights in relation to it.
Ashridge reserves the right to add to or otherwise modify this Policy at any time, so please re-visit this page occasionally to check for updates.
Who are we?
We are the Ashridge (Bonar Law Memorial) Trust and it’s trading subsidiaries, the Ashridge Strategic Management Centre and Ashridge Executive and Organisation Development Ltd. As a group we provide executive education and hospitality services to clients based all around the World. When we refer to Ashridge, ‘we’, ‘us’ or ‘our’ we are referring to both the Trust and its trading subsidiaries.
We offer various online services. These include our virtual learning portal called Virtual Ashridge, and our guest services tool, myAshridge. Our webpages are hosted and maintained by Hult.
Information we ask you for and collect
We collect various types of information from you so that we can adjust our online and off line services to meet your needs and expectations. Some of this information is collected automatically through cookies, and other information is collected when you or your employer purchase(s), or register(s) for, any of our services or subscribe to any of Ashridge E-Newsletters. We have grouped this into five categories:
Contact Information: title, first name, last name, work and personal email address(es) and telephone number(s)
Job-related Information: job title or role, client organisation & business sector, previous experience and expertise
Education-related Information: qualifications held, previous programs attended
Special Category Information: dietary requirements, accessibility requirements, health information related to non-attendance, gender, nationality, date of birth, psychometric responses and reports,
IT-related Information: Cookies, IP address, site navigation – see ‘Information we automatically collect’ below.
We will only ever collect the minimum amount of information necessary to provide the services you or your employer request. For all of our services we would collect sufficient Contact Information to carry out those services, but depending on the type of service (see table below) we may collect additional information:
|Service||Categories of Information collected|
|Webpages forms||Job, Education, Special Category, IT|
|Virtual Ashridge||Job, IT|
|myAshridge||Third party Contact (for emergency contact), Special Category|
|Canvas Learning Platform||Education, IT|
|Online AIMS||Special Category|
|Request for information about our services||Job, Education, Special Category, IT
|Feedback||opinions on our services|
|Online or telephone sales (books or merchandise)||Job, Special Category, IT|
|Business Development||Job, Education|
|Direct Marketing||Job, Education|
|Onsite or offsite Program||Job, Education, IT|
|Apprenticeships||Job, Education, Special Category, IT|
|Visitor or guest at Ashridge House||Special Category|
|Subcontractor personnel||Job, Special Category|
|Prospective Employees or Candidates||Job, Special Category|
|Research participant||Job, Education, Special Category, IT|
Information we automatically collect
The types of information your browser or internet session automatically sends us each time you use one of our online services, include:
– Your browser, e.g. Internet Explorer, Firefox, Safari, Opera;
– Your Internet Service Provider, e.g. TalkTalk, BT, AOL, NTL, Virgin, Bulldog;
– Your computer’s operating system, e.g. Windows, Macintosh, UNIX, Linux;
– Your navigation path, that is, the URL of where you came to our site from, which of our pages you visited, and your IP address.
This information lets us see how users are finding our webpages and online services and it tells us which pages and sites are visited the most often so we can make them more useful. This information in no way enables us to identify you personally.
We also operate CCTV at Ashridge House. For more information about this please refer to our CCTV policy.
What are “Cookies”?
Cookies are small text files that are placed on your computer by the websites that you visit. Cookies make the interaction between users and websites faster and easier. Without cookies, it would be very difficult for a website to allow a visitor to fill up a shopping cart or to remember the user’s preferences or registration details for a future visit.
When you visit any of Ashridge’s online services, cookies enable us to measure which pages you view and how your computer views them. By measuring general use of our online services we aim to improve the user experience and make these services more useful to you.
When using Virtual Ashridge we will use the statistical data collected to provide feedback to our client organisation (your employer) which may include:
- Content types reviewed
- Learning preference on those content types
- Number of users acccessing
- Number of page views, what day and by country
- Top search terms
- Top pages viewed
- Individual users by display email address
- Quiz results
Do not track browser setting
Do Not Track is a feature offered by some browsers which, when enabled, sends a signal to websites to request that your browsing is not tracked, such as by third party ad networks, social networks and analytic companies. Our online services do not currently respond to Do Not Track requests.
Ashridge web authentication and log-in
Ashridge’s online services requiring a log-in (such as Virtual Ashridge, AIMS, e-Sharing, Alumni, myAshridge), operate a single sign-on policy. This allows an individual to re-use the same log-in details across a variety of authenticated online services provided by Ashridge. In many cases these log-in details are created by Ashridge with random passwords. However, there are instances when users are allowed to self-register and hence provide a password of their choice. Though our self-registration service enforces users to register high strength passwords, and these are securely protected, it is strongly recommended that you provide us with a separate password and NOT the ones used with your banking or other highly sensitive personal online accounts elsewhere.
We will never contact you to ask for your login details or password so please be aware of emails or calls claiming to be from Ashridge that request this information.
Third party websites, content and resources
Please be aware that you may be directed via links or other means to third party websites, content and resources. These third party websites, content and resources will have their own privacy policies and may send their own cookies to visitors, collect data, or solicit and use your personal information in ways that are different to those contained in this Policy. We are not responsible for the privacy practices of the providers of these other websites, content and resources and cannot guarantee the security of any of your Personal Information collected, used or shared there. The use of such websites is at your own risk and we suggest that you read their privacy notices or policies before proceeding to use the third party site.
Our Sales team uses telephony technology provided by NewVoiceMedia Limited which is both ISO27001 certified and has Level 1 PCI DSS. Using this technology Ashridge may monitor, record, store and use any telephone calls with you in order to check any instructions given to us, for training purposes, for crime prevention and to improve the quality of our customer service.
How is your personal information used and why is it lawful?
We will use your personal information for a number of purposes including:
|provide and administer of our services and to carry out other contractual obligations under a contract with you or your employer and this may also include sending password reminders, notice of maintenance, updates of our policies including this one;||provision of services under a contract, furtherance of our legitimate interests, consent (special category)|
|seek your views or comments on the services we provide;||provision of services under a contract, furtherance of our legitimate interests,|
|notify you of changes to our services;||provision of services under a contract, furtherance of our legitimate interests,|
|send you, either electronically or in print, publications you have requested or similar publications or information about complimentary or connected services||provision of services under a contract, furtherance of our legitimate interests,|
|provide you with the most user-friendly online navigation experience||provision of services under a contract, furtherance of our legitimate interests,|
|respond to any enquiry, correspondence or request including during the processing of a job application or similar application to work with us as a supplier;||provision of services under a contract, compliance with other legal obligations, furtherance of our legitimate interests, consent (special category)|
|use your IP addresses and device identifiers to identify the location of users, block disruptive use, establish the number of visits and from which countries||provision of services under a contract, compliance with other legal obligations, furtherance of our legitimate interests,|
|carry out analysis and research activities (where your information would be anonymised unless we obtained your further consent so you could not be identified);||provision of services under a contract, furtherance of our legitimate interests, consent (special category)|
|carry out marketing activities, where you have agreed to be contacted or where you are a previous client or participant so we can tell you about similar services (we will continue to give you an opportunity to opt out of these communications every time we contact you);||furtherance of our legitimate interests,|
|participate in the Financial Times (“FT”) rankings where we provide names, job title and email addresses and on occasion organisation name to the FT after we have contacted you in advance to notify you that we intend to process your data in this manner and who you will be contact by, when and why||furtherance of our legitimate interests,|
By requesting information, a publication or a service you will automatically be subscribed to receive similar, complimentary or related publications. All electronic communications sent have an Unsubscribe option at the bottom of the email or E-Newsletter. All print publications are sent with a contact form which can be used to update your contact information or to unsubscribe from that publication. If you would like to update any details or unsubscribe from Ashridge publications, please contact us by email at:firstname.lastname@example.org.
Who has access to your personal information
Ashridge guarantees that your personal information will not be passed to any third parties other than those that are working for or with Ashridge to deliver our various services (delivery of programs, consulting, coaching, research and hospitality) and to carry out the purposes listed above. Ashridge does not sell or otherwise distribute mailing lists to third parties. However, Ashridge has contractual assurances from those companies that the data is only used to send the Ashridge publications and is destroyed afterwards.
Occasionally we may share your information with Hult or other educational partners with whom we work, such as EF Corporate Language Learning Solutions, in order to advise you of services that complement our own. These partners will provide you with an opportunity to opt out of these communications every time they contact you.
Ashridge may share aggregated and anonymised information about our clients, participants and guests with advertisers, business partners, sponsors and other third parties. However, no individual information provided will be shared in this way.
Except as set out here we will not share your personal data with anyone else, except as required by law.
When you visit our webpage or use our Virtual Ashridge or psychometric products your details will be added to our CRM and marketing systems. We may analyse your personal information to create a profile of your interests and preferences so that we can contact you with information relevant to you. We may make use of additional information about you when it is available from external sources e.g. LinkedIn, to help us get to know you better and provide more effective personalisation.
Your rights, our obligations
You can choose at any time whether or not you wish to be contacted by Ashridge. Every communication we send you will give you the opportunity to opt out of further communications but you can also notify us at any time by email email@example.com. or by telephone on +44 (0)1442 843491to withdraw your consent to marketing or any other contact from Ashridge.
What forms of security protect your personal information
Ashridge operates robust physical and system access controls together with transmission, input, availability, processing and segregation controls to protect your personal data. Many of our SaaS providers are ISO27001 accredited and we follow similar quality controls.
More information can be obtained from our IT Security Policy.
Transferring information overseas
Data protection legislation prohibits us from sending your personal details to a country outside the European Economic Area (EEA) without your informed consent. Ashridge works in partnership with some organisations and individuals that operate outside the EEA. We may consider it to be of benefit to individuals, based in the same geographical location, if their details are passed on to an appropriate Ashridge contact in their area for marketing purposes. At present, the European Commission does not consider certain countries outside the EEA to provide adequate levels of protection for the rights and freedoms of data subjects in relation to the processing of Personal Data, for the purposes of satisfying the eighth Data Protection principle. Nevertheless, Ashridge hereby declares that it is satisfied that the appropriate technological and organisational safeguards are in place in the overseas establishments that we work with and that these are equal to or greater than those required under current relevant data protection laws.
How long will we keep your information?
We will hold your personal information on our systems for as long as it necessary for the relevant activity or services, as required by our accreditors or for as long as is set out in any relevant contract you have with us, whichever is longest. If you exercise any of your rights to restrict the processing, restriction, transfer or deletion of your personal data, we will retain sufficient personal data in order to action, and continue to abide by, that request.
If you have not used your myAshridge or VA account in the last six months then your account may be classed as dormant and may be deleted in line with this Policy.
Your rights to find out what information we hold about you
The right to access (subject access requests) and portability
You can write to us at any time and ask for a copy of the information we hold about you. Please address your letter to the Chief Financial Officer. There is no longer a charge for providing this information, except where we consider the request to be manifestly unfounded, excessive or you request duplicate copies.
We can withhold your personal information in the following circumstances and without giving you justification:
• the prevention, detection or investigation of a crime;
• national security or the armed forces;
• the assessment or collection of tax; and
• judicial or ministerial appointments.
You can also ask us to transfer your data to another organisation.
Right to request rectification, updating or deletion
You may request that your personal information it updated, rectified or completed. We will make every effort to inform all third parties to whom we have disclosed the information of the changes made (unless this is impossible or involves disproportionate effort) and, if you ask us, we will let you know who those recipients are.
You may ask us to delete or cease processing your personal information where it is no longer a needed for the purpose for which it was gathered or you withdraw your consent to such processing. We can refuse to comply e.g. where we need to retain it in connection with legal proceedings or where we are required to retain your personal information by law.
If you wish to update or delete your personal information please write to Anders Ljungdahl, CFO, Ashridge, Berkhamsted, Hertfordshire HP4 1NS or email firstname.lastname@example.org and we will arrange for your personal information to be updated or deleted in accordance with your instructions across our internal systems.
Deleting your account(s) will erase any personal information in your account that we have about you and it will mean any data we hold about how you have used myAshridge or VA will be made anonymous.
Right to restrict processing
You can request that processing of your personal information is restricted and only permitted with your consent, except where we need in connection with legal claims or to protect of the rights of others, in the following circumstances:
- where you contest the accuracy of information, for the period it takes us to verify its accuracy;
- where the processing is unlawful and you request restriction rather than deletion;
- where we no longer need the information but it is required by you in connection with legal proceedings; or
- where you have objected to the processing, pending verification of whether we or a third party has an overriding legitimate interest.
Where processing has been restricted, we will inform you before the restriction is lifted.
Right to object
This is a right to object, on grounds relating to the worker’s particular situation, to processing based on one of the following:
- the processing is necessary for a task carried out in the public interest
- processing in the exercise of official authority
- the processing is necessary for the pursuance of the legitimate interests of the employer or a third party which are not overridden by the worker’s interests
If an objection is received the employer must stop processing unless it can demonstrate compelling legitimate grounds for processing overriding the interests, rights and freedoms of the worker or that it is in connection with legal proceedings.
There are also rights to object to:
- data processing for direct marketing purposes – employer must stop processing
- data processing for statistical purposes – must stop unless in public interest
Right to appeal against automated decision making and profiling
This right allows an individual access to information about the reasoning behind any decisions taken by automated means. You can:
- give written notice requiring us not to take any automated decisions using your personal data;
- even if you have not given notice, you have a right to be informed when such a decision has been taken; and
- you can ask us to reconsider a decision taken by automated means.
This is your safeguard against the risk that a potentially damaging decision is taken about you without any human intervention.
Time limit for responding.
We will respond to requests for access, rectification, erasure, restriction and objections without undue delay and at the latest within one month. If we need to extend the period of compliance by up to a further two months where requests are complex or numerous, we will notify you in writing within one month, together with the reasons for the delay. If we do not take action on your request we will inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and we will remind you that you may wish to lodge a complaint with the ICO and/or seek a judicial remedy.
This policy was reviewed and updated in May 2018. It is under regular review.
CCTV Policy & Procedures
Ashridge uses CCTV to provide a safe and secure environment for its staff and visitors and to protect Ashridge’s property. The purposes for which the CCTV Systems are used are solely to protect the premises by prevention, detection and investigation of criminal activity.
The person who has been appointed to oversee the system and procedures is Debbie Gronert who holds the position of Facilities Manager at Ashridge Executive Education. She is responsible for making sure that the data is only accessed by those with a genuine need to do so.
Ashridge will notify visitors to the site of the use of CCTV by appropriate signage provided at the entrance of each car park.
The images that are filmed will be held in a secure location and will only be accessed by those who are authorised to do so.
The medium onto which we record images is a hard drive which updates every 31 days by clearing data stored and starting again.
A regular maintenance programme is in place and will be carried out in accordance with the agreed schedule by MJ Security Systems Ltd (tel no. 01582 665022). Cameras will be checked every six months and a service report provided.
Unless required for evidential purposes, the retention period of any images recorded by our CCTV footage is 31 days and any footage that is over this period is set up on the system to be deleted automatically.
The location that is used for viewing of any images is the Venue Services office in the Main House. Only the manager and team leaders are authorised to access the images collected.
Debbie Gronert, Facilities Manager, or her nominated deputy in his absence, is the only person who can authorise disclosure of information to third parties.
Should any images be required by the Police, or any other authorised enforcement agencies, we will adhere to the following protocol:
- All requests will be documented, giving the date, time and purpose of the request and the identity of the body and individual making the request.
- The request must specify the date and time (as far as possible) of the image.
- Proof of ID from the requesting officer will be required on collection of the data.
- We will aim to provide a response to a request within 24-48 hours.
- If the decision is taken not to release the images, then the image in question will be held and not destroyed until all legal avenues have been exhausted.
The Data Protection Act 1998 gives individuals the right to access personal information about themselves, including CCTV images. All requests for access to images by individuals should be made to the Facilities Manager who will assess the request and, if appropriate, release the image to the individual within 40 days of the request. Ashridge may make a small charge for the image, not exceeding £10.
The CCTV system operates 24 hours a day, 365 days a year and will continue to be maintained by MJ Security Systems Ltd and monitored by our nominated staff.
Adherence to this policy will be monitored and the policy reviewed at least annually.
This policy is a public document and is available online at www.ashridge.org.uk or by contacting us on 01442 841174.