Data Protection and Privacy Policy


Our website address is:


BSA Group (BSAG) comprises BAISIS (British Association of Independent Schools with International Students), BSA (Boarding Schools’ Association), HIEDA (Health in Education Association), SACPA (Safeguarding and Child Protection Association) and TIOB (The Institute of Boarding). Also found within the group are SBF (State Boarding Forum) and BSA Legal Services Ltd, a subsidiary of BSA Group Services Ltd.

BSA Group’s mission is to support excellence in boarding, safeguarding, inclusion and health education. BSA Group delivers services for more than 1,600 organisations and individuals in 40 countries worldwide.

We take our responsibilities as a data controller seriously and are committed to using the personal data we hold in accordance with the law.

This privacy notice provides detailed information about how we process personal data. Please read it carefully and, if you have questions regarding your personal data or its use, please contact the BSA Group via



We process personal data about current and past: employees, contractors, board and executive committee members, member and non-member organisations, schools, school staff, BSA Group staff, training providers/contractors, information about students provided to us by the school and other individuals connected to a member organisation or school.

The personal data we process takes different forms – it may be factual information, expressions of opinion, images or other recorded information which identifies or relates to a living individual. Examples include:

As an employer, we need to process criminal records information about individuals (particularly staff and contractors). We do so in accordance with applicable law (including with respect to safeguarding or employment) or by explicit consent.



The BSA Group (BSAG) complies with all statutory requirements of the Data Protection Act 2018 by registering all personal data held on its computer and/or related electronic equipment and by taking all reasonable steps to ensure the accuracy and confidentiality of such information.

The Data Protection Act protects individuals’ rights concerning information about them. Anyone processing personal data must comply with the eight principles of good practice.

Data must be:

Individuals can request in writing access to the information held on them by BSAG and there is no charge for this service.

We collect most of the personal data we process directly from members. We also collect data from third parties (working references, professionals or authorities) or from publicly available resources.

Personal data held by us is processed by appropriate members of staff for the purposes for which the data was provided. We take appropriate technical and organisational steps to ensure the security of personal data about individuals, including secure use of technology and devices, and access to our online systems. We do not transfer personal data outside of the European Economic Area unless we are satisfied that the personal data will be afforded an equivalent level of protection.

Some of our systems are provided by third parties, such as Microsoft Office suite and cloud storage, the BSA Group websites, BSA Group’s newsletters and independent cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with our specific directions.

We do not share or sell personal data to other organisations.



We process personal data to support the BSAG’s function of promoting and supporting key stakeholders and includes:

The processing set out above is carried out to fulfil our legal obligations (including staff employment contracts).



The BSAG maintains contact with past school Heads/boarding school staff members who have requested to be kept on the BSA Group mailing lists and have provided their personal details to the BSAG to this effect. This is so that the BSAG can continue to invite these previous school members to events, keep them updated with the boarding sector and provide them with useful and relevant information. The BSAG asks that individuals requesting continued contact provide us with their data preferences to ensure that all communications are requested for and relevant. Individuals can opt out of these mailings at any time by emailing or by clicking on the ‘unsubscribe’ link at the bottom of email contact.



We retain personal data only for legitimate and lawful reasons and only for so long as necessary / required by law. Staff records are retained for seven years for purposes of providing references if requested.

Details of school staff are updated yearly. Staff who have left the school are removed from our contact lists unless they request to continue to receive BSAG contact.

Press releases will remain on all BSAG websites (News Archive, accessible via search function) and social media pages for a period of ten years in order to help support schools in the promotion of their brand. Press releases can be removed at any time by emailing


You have various rights under Data Protection Law to access and understand the personal data we hold about you, and in some cases to ask for it to be erased or amended or for us to stop processing it, but subject to certain exemptions and limitations.

You always have the right to withdraw consent, or otherwise object to receiving generic communications. Please be aware however that the BSAG may have another lawful reason to process the personal data in question even without your consent. This usually relates to staff records (time worked with the BSAG, HR purposes and for reference requests).

If you would like to access or amend your personal data, would like it to be transferred to another person or organisation, or have some other objection to how your personal data is used, please make your request in writing to the CEO, DCEO/COO or Legal Director.

We will respond to any such written requests as soon as is reasonably practicable and in any event within statutory time-limits, which is one month in the case of requests for access to information. We will be better able to respond quickly to smaller, targeted requests for information. If the request is manifestly excessive or similar to previous requests, we may ask you to reconsider or charge a proportionate fee, but only where Data Protection Law allows it.

You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal privilege. We are also not required to disclose any confidential reference given by the BSA for the purposes of the education, training or employment of any individual.



We only hold pupil data when it has been provided to the BSAG for the purposes of the promotion of a member school (though the BSA and TIOB websites, social media pages and marketing content such as the Boarding School magazine).



Any data relating to safeguarding is provided to us by our member organisations and schools. The data is provided with all details of individuals involved already removed (even if these details are already available in the public domain).

If an organisation, or school provides information that has not been anonymised, the CEO, DCEO/COO or Senior Director will remove all relevant data upon receipt of content. All safeguarding information is kept securely within the BSAG system, with severely limited access.

Safeguarding data will not be shared with any external agency, other than to comply with a legal obligation and where there is a lawful basis for it to be shared.



We try to ensure that all personal data held in relation to an individual is as up to date and accurate as possible. Please notify of changes to information, such as contact details.



Our privacy notice should be read in conjunction with our other policies and terms and conditions which refer to personal data, including our Commitment to Care Charter.

We will update this Privacy Notice when required. Any substantial changes that affect how we process your personal data will be notified on our website and to you directly, as far as practicable.

If you believe that we have not complied with this policy or have acted otherwise than in accordance with Data Protection Law, you should notify the CEO, DCEO/COO or Legal Director. You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with us before involving them.


Last updated: January 2023

Next update: January 2024

Subscribe / latest articles and news from our schools