SBS Privacy Policy

Our Policies

Cookie Policy
Terms & Conditions
Data Protection

We are committed to safeguarding the privacy of our website visitors; this policy sets out how we will treat your personal information.

This privacy notice describes how School Business Services (“the Company”) collects and uses personal information during and after the provision of our services to clients and prospective clients (Data Subjects), in accordance with UK data protection law.

The Company forms part of the Supporting Education Group (SEG) as one of its companies.

The Company together with Judicium Consulting and Neo People operate collectively as the professional services division within SEG (“Professional Services”). There may be occasions when data is shared between the Company, Professional Services and SEG. This is clarified in the relevant sections of this notice.

The UK data protection law consists of the UK General Data Protection Regulation (UK GDPR) which sits alongside an amended version of the Data Protection Act 2018 that relate to general personal data processing, powers of the Information Commissioner’s Office (ICO) and sanctions and enforcement.

It applies to all clients (whether prospective, current or former). Data Subjects may include third parties who are not clients, but whose data is processed through a provision of services to clients e.g. where a client is a school, the Company may process data about staff, pupils or parents.

Updated 24 February 2025

1. Who collects this information?

The Company is a “data controller”. This means that the Company are responsible for deciding how they hold and use personal information about you.

The Company are required under data protection legislation to notify you of the information contained in this privacy notice. This notice does not form part of any contract to provide services, and the Company may update this notice at any time.

Professional Services have a number of central services, including financial, marketing and support services. This means that personal data may be shared within Professional Services in order to provide the required services to you.

It is important that you read this notice with any other policies mentioned within this privacy notice, so that you understand how your information is processed and the procedures taken to protect your personal data.

2. Data protection principles

The Company will comply with the data protection principles when gathering and using personal information, as set out in the data protection policy.

3. Categories of information processed and purpose

Personal data is currently defined as information from which an individual can be identified e.g. a client’s full name.

There are “special categories” of more sensitive personal data which require a higher level of protection.

The Company will only use your information when the law allows. Most commonly, your information will be used in the following circumstances:

Consent: the individual has given clear consent to process their personal data for a specific purpose;
Contract: the processing is necessary for a contract or to take steps prior to entering into one;
Legal obligation: the processing is necessary to comply with the law (not including contractual obligations);
Legitimate Interests: the processing is necessary for your legitimate interests or the legitimate interests of the Company or a third party.

The following categories of personal information and special category data about you may be collected, stored and used for the following purposes:

Accounting and Finance

Categories of information	Purpose	Lawful basis
Client finance details including payment information, contact details, payment status and correspondence.	Invoice for services carried out. Track payments and amounts outstanding for services.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.

Clerking and Governance

Categories of information	Purpose	Lawful basis
Name, contact details and position, services purchased.	Client onboarding Provide services in accordance with the contract. Manage relationships. Register onto platforms such as Governor Hub. Keep details up to date.	Comply with a contract for service. Individual consent. Legitimate interests – to effectively manage the business of the Company.
Training records including attendance and completion.	Ensure suitable completion of governor training.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Correspondence history.	Provide ongoing advice and assistance on governance and clerking responsibilities.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Information shared as part of meetings including exclusion details, staffing matters.	Assist governors with decision making and discharging their obligations.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Documents stored on governor portals.	Enable secure storage of governor documents. Provide services in accordance with the contract.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.

Data Protection

Categories of information	Purpose	Lawful basis
Name, contact details and position, services purchased.	Client onboarding. Provide services in accordance with their contract. Manage relationships. Register onto our platforms such as online learning and Jedu. Keep details up to date.	Comply with a contract for service. Individual consent. Legitimate interests – to effectively manage the business of the Company.
Correspondence history	Provide ongoing advice and assistance to meet data protection laws in accordance with the contract for service.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Training records.	Ensure suitable completion of data protection training. Evidence of training completion for audits.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.

Facilities Management

Categories of information	Purpose	Lawful basis
Name, contact details, position, services purchased.	Client onboarding. Provide services in accordance with the contract. Manage relationships. Deal with any emergencies on site.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Correspondence history.	Provide ongoing advice and assistance to answer tickets submitted by clients in accordance with the contract for service.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Training records.	Ensure suitable completion of training.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.

Finance

Categories of information	Purpose	Lawful basis
Name, contact details, position, services purchased.	Client onboarding. Provide services in accordance with the contract. Manage relationships.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Financial details including payroll records for staff.	Collect accurate financial records Produce financial reporting Planning and analysis.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Finance consultancy – summary of client visits, correspondence history and any personal data shared as part of client visits.	Carry out agreed consultancy services. Provide ongoing advice and assistance to answer client questions.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.

Financial Planner

Categories of information	Purpose	Lawful basis
Registration details including name, employment information, contact information and level of access.	Provide a projected cost and plan for implementation. Manage relationships.	Individual consent. Comply with a contract for service.
Employee records including name, gender, date of birth, employment details, any extended leave and work location.	Maintain full and accurate client records. To meet requirements of the service contract. Completion of annual returns, budgeting, forecasting and payroll reconciliation.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Correspondence history.	Provide ongoing advice and assistance ensuring tickets are completed as per service requirements.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.

Health and Safety

Categories of information	Purpose	Lawful basis
Name, contact details and position, appointment history, services purchased.	Client onboarding. Provide services in accordance with their contract. Manage relationships. Registration onto our platforms such as online learning and Jedu. Keep details up to date.	Comply with a contract for service. Individual consent. Legitimate interests – to effectively manage the business of the Company.
Correspondence history including data shared through correspondence.	To provide ongoing advice and assistance on health and safety compliance in accordance with the contract for service.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Training records.	Ensure suitable completion of training. Evidence training completion for audits.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Name and position details of responsible person for fire risk assessment.	List responsible person to comply with legal requirements under fire safety rules.	Comply with a legal obligation.

HLTA Training

Categories of information	Purpose	Lawful basis
Name, contact details, position, school details including key postholders.	Register users onto the programme to gain HLTA status.	Comply with a contract for service.
Postal address.	Send certificates upon course completion.	Comply with a contract for service.

HR and Employment Law

Categories of information	Purpose	Lawful basis
Name, contact details and position, services purchased.	Client onboarding. Provide services in accordance with their contract. Manage relationships. Register onto our platforms such as online learning and Jedu. Keep details up to date.	Comply with a contract for service. Individual consent. Legitimate interests – to effectively manage the business of the Company.
Correspondence history including employment information and records shared as part of these discussions.	Provide ongoing advice and assistance to meet Hr and employment laws and guidance in accordance with the contract for service.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Training records.	Ensure suitable completion of HR and employment law training.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Initial employee details such as name, address, contract changes, salary details and position.	Provide contracts, offer letters and correspondence indicating employment changes.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Details provided as part of a DBS application including names and identifiers, identification, address history and self-disclosure of criminal history. Results from DBS checks including criminal offence data.	Process the required DBS check. Verify suitable completion of DBS check. Send results to client to manage safer recruitment. Advise on results.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Details provided as part of online check service. Including name, position, contact details, address, place of birth and nationality. Result of check including evidence of online activity.	Process online checks in accordance with the contract for service. Send result to client to manage safer recruitment. Provide examples of risk. Advise on results.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Data provided as part of consultancy service delivery such as mediation and investigations.	Carry out the consultancy service requested in accordance with the contract.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Records required in order to manage ongoing litigation services.	Provide litigation advice and support.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.

ICT

Categories of information	Purpose	Lawful basis
Name, contact details, position, services purchased.	Client onboarding. Maintain records of clients. Managing service requirements. Contact clients for appointments. Provide services in accordance with their contract.	Comply with a contract for service. Individual consent. Legitimate interests – to effectively manage the business of the Company.
Personal data provided whilst handling a client issue – account details, service issues, contact information.	Resolve a client’s enquiry.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Remote access to a user’s system – this may involve viewing personal data shared by the user.	Resolve a client issue.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Correspondence history.	Provide ongoing advice and assistance ensuring tickets are completed as per service requirements.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Data provided in service logs – such as individual user issues.	Client awareness of service issue and any steps taken.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Personal data supplied as part of an agreed service project (such as audits or server migration).	Access during project to ensure full completion of the agreed task.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.

Internal Scrutiny

Categories of information	Purpose	Lawful basis
Name, contact details and position, services purchased.	Client onboarding. Provide services in accordance with their contract. Manage relationships. Keep details up to date.	Comply with a contract for service. Individual consent. Legitimate interests – to effectively manage the business of the Company.
Staff and student details shared as part of the audit process (such as details on single central record, employment contracts, payroll details).	In order to meet internal scrutiny requirements. Produce evidence. Follow up on progress of actions.	Comply with a contract for service. Comply with a legal obligation. Substantial public interest. Legitimate interests – to effectively manage the business of the Company.
Personal data shared as part of the planning process	Preparation for the internal scrutiny programme. Address areas of improvement.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.

MIS

Categories of information	Purpose	Lawful basis
List of school support users including name, email address, contact number and position.	Client onboarding. Provide MIS support services in accordance with their contract. Send details of key system updates, training courses and events. Keep details up to date.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
MIS system access including where required taking copies of data.	Resolution of client issue.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Helpdesk records and correspondence history.	Provide ongoing advice and assistance.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Data provided as part of consultancy service delivery.	Carry out the consultancy service requested in accordance with the contract.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Training records including name, attendance and completion.	Ensure suitable completion of data protection training.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.

Payroll

Categories of information	Purpose	Lawful basis
Salary and finance records including name, date of birth, gender, service dates, employment details, salary, tax and pension records.	Pay the individual in accordance with the service contract.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Employee data provided as part of ongoing reporting.	Provide the organisation with reporting and analysis of their financial operations.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Employee data sharing with relevant third party organisations – for example pension contributions, union payments, deduction of earning payments, tax details.	Meet legal and regulatory requirements. Ensure payroll is processed correctly.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Data provided as part of consultancy service delivery.	Carry out the consultancy service requested in accordance with the contract.	Comply with a contract for service. To comply with a legal obligation. Employment, social security and social protection. Legitimate interests – to effectively manage the business of the Company.
Staff absence reporting.	Assist client with absence management and reporting.	Comply with a contract for service. Health and social care.
Data shared by client to maintain a HR system – for example qualifications, health data, ethnicity.	Not used by the Company but held on the system by the client for the purposes of the client maintaining their own HR records in one central system.	To comply with a contract for service.
Correspondence history	Provide ongoing advice and assistance ensuring tickets are completed as per service requirements.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.

Safeguarding, Supervision and SEND

Categories of information	Purpose	Lawful basis
Name, contact details and position, services purchased.	Client onboarding. Provide services in accordance with their contract. Manage relationships. Register onto our platforms such as online learning and Jedu. Keep details up to date.	Comply with a contract for service. Individual consent. Legitimate interests – to effectively manage the business of the Company.
Correspondence history.	Provide ongoing advice and assistance to meet laws and guidance in accordance with the contract for service.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Training records	Ensure suitable completion of safeguarding training. Evidence training completion for audits.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Documents viewed during audit including safeguarding records and single central record.	Audit safeguarding functions and determine compliance with statutory guidance. Compliance with the terms of the service agreement.	Comply with a legal obligation. Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Anonymise responses to safeguarding and SEND questionnaires.	Audit safeguarding and SEND functions. Compliance with the terms of the service agreement. Provide tailored advice and assistance to clients.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Data collected as part of supervision services including meeting notes and any data shared.	To carry out supervision meetings and provide guidance in accordance with the service agreement.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.

Sales and Marketing

Categories of information	Purpose	Lawful basis
Name, contact details, position, correspondence history.	Follow up on an initial enquiry. Manage relationships. Keep accurate records. Provide targeted marketing to those that have expressed interest.	Individual consent. Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Receiving contact details from external marketing campaigns.	Follow up on enquiries made through a marketing campaign.	Individual consent. Legitimate interests – to effectively manage the business of the Company.
Records of subscription preferences and opt-outs.	Update communication preferences. Effectively manage opt-out requests.	Individual consent. Legitimate interests – to effectively manage the business of the Company.
Website enquiries, sofa session and CFO/COO insider feedback including name, contact details, details of enquiry.	Assist with any questions. Facilitate service sign-up. Improve and personalise service offerings.	Individual consent. Legitimate interests – to effectively manage the business of the Company.

Work Permits

Categories of information	Purpose	Lawful basis
Client details including name, contact details.	Client onboarding. Providing services in accordance with their contract. Manage relationships. Keep details up to date.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Data required to complete and process visa and immigration applications including identifiers, bank statements, dependents and relationships, identification documents, work details, travel history.	Process the application with the home office and UKVI.	Comply with a contract for service. Comply with a legal obligation. Legitimate interests – to effectively manage the business of the Company.
Data provided in completion of a sponsor licence including banking records of named individuals.	Process the application with the home office and UKVI.	Comply with a contract for service. Comply with a legal obligation. Legitimate interests – to effectively manage the business of the Company.
Correspondence history.	Provide ongoing advice and assistance on applications.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.
Consultation meeting notes advising on visa viability.	Provide ongoing advice and assistance on applications.	Comply with a contract for service. Legitimate interests – to effectively manage the business of the Company.

4. How this information is collected

Personal data is most commonly collected directly from clients, for example, when an enquiry is made about services, or in the normal course of the provision of services to clients.

However, information may also be collected:

from publicly accessible sources, eg Companies House or HM Land Registry;
directly from a third party, eg: customer due diligence providers or marketing agencies;
from a third party with your consent, eg your bank;
on the Company website — such as enquiry forms or through the use of cookies. For more information on use of cookies, please see the Company cookie policy which is available on the website.

5. Sensitive information

Sensitive personal information (as defined under the UK GDPR as “special category data”) require higher levels of protection and further justification for collecting, storing and using this type of personal information. The Company may process this data in the following circumstances:

In limited circumstances, with your explicit written consent;
Where the Company need to carry out our legal obligations in line with our data protection policy;
Where it is needed in the public interest, such as for equal opportunities monitoring or for regulatory requirements;
Less commonly, processing this type of information where it is needed in relation to legal claims or where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent.

6. Marketing

From time to time, the Company will provide marketing communications to you. This is in order to provide you with a personalised and targeted service and to allow you the choice in what communications you receive.

Communication may come from the Company, Professional Services or the Supporting Education Group (“SEG”) including communications from other companies within SEG.

The content of these communications will include providing: -

Updates about progress of the Company, Professional Services, SEG and its group companies.
Details about services offered by the Company, SEG and its group companies.
Subscription services such as weekly updates and newsletters.
Opportunities and events promoted by the Company, Professional Services, SEG and its group companies such as research programmes, webinars and training sessions.

The Company have a legitimate interest in using your personal data for marketing purposes and do not usually need your consent to send marketing information.

The Company follow laws and guidelines when sending marketing communications including: -

Sending marketing communications to a work email address where possible.
When communicating with a non-work email address, to do so with a lawful basis (either under legitimate interests or with the user’s explicit consent to carry out marketing).
In all instances to provide users with an ability to opt out of marketing.
When using third party companies to assist with marketing to ensure data collection and use is done in accordance with data protection laws.
Not providing your details to third party companies outside of SEG.

Such marketing activities may include sending promotional and commercial communications regarding services offered by the Company, Professional Services, SEG and/or its group companies. This may include co-marketing or joint sale opportunities, including promotional events, training and webinars.

In some cases, personal data that you provide is done via group company platforms. This data may be shared and combined with personal data collected throughout your relationship with the Company. Where this is done, it will be communicated to you.

7. Automated decision making

Automated decision making takes place when an electronic system uses personal information to make a decision without human intervention. Automated decision making can be used in limited circumstances.

Where the Data Subject is notified of the decision and given 21 days to request a reconsideration.
Where it is necessary in performance of the contract with the Data Subject and appropriate measures are in place to safeguard their rights
With the explicit written consent of the Data Subject and where appropriate measures are in place to safeguard their rights

If automated decision making is made in relation to Data Subjects using special category data, there will either be explicit written consent of the Data Subject or it must be justified in the public interest.

Currently the Company do not undertake decisions about clients using automated means.

8. Sharing Data

The Company may need to share your data with third parties, including third party service providers where required by law, where it is necessary to administer the working relationship with you or where there is another legitimate interest in doing so. These include sharing data with the following:-

The Supporting Education Group;
Professional Services;
Third parties used to help deliver products and services to you;
Third parties used to help the Company operate (such as website hosts);
Third parties used to provide marketing assistance;
Third parties used to facilitate compliance with support services (for example MIS providers to help comply with MIS support requests);
Insurers and brokers;
Professional advisors;
External auditors;
Law enforcement agencies, courts, tribunals and regulatory bodies;
Banks.

Information will be provided to those agencies securely, or if possible in an anonymised format.

The recipient of the information will be bound by confidentiality obligations and are required to respect the security of your data and treat it in accordance with the law.

9. International data transfers

The Company do not transfer your personal data outside of the UK/EEA. However, should the need arise to transfer data outside of the EEA, the Company shall either share with a country which has received an appropriate adequacy decision or will ensure that there are safeguards in place to provide appropriate levels of protection.

10. Security

The Company have put in place measures to protect the security of your information (i.e. against it being accidentally lost, used or accessed in an unauthorised way). In addition, access is limited to your personal information to those employees, agents, contractors and other third parties who have a business need to know. Details of these measures are available on request.

11. Retention

Personal information is retained about clients for as long as necessary to fulfil the purposes it is collected for, including for the purposes of satisfying any legal, accounting, or reporting requirements. This retention period will in most cases be as long as you are a client.

Details of retention periods for different aspects of personal information about Data Subjects are in the Company’s data retention policy which is available upon request.

To determine the appropriate retention period for personal data, the Company consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which personal data is processed and whether those purposes can be achieved through other means, and the applicable legal requirements.

12. Your rights to access, correction, erasure and restriction

Under certain circumstances, by law you have the right to:

Access your personal information (commonly known as a “subject access request”). This allows you to receive a copy of the personal information held about you and to check it is lawfully processed. You will not have to pay a fee to access your personal information. However, a reasonable fee may be charged if your request for access is clearly unfounded or excessive. Alternatively, there maybe grounds to refuse to comply with the request in such circumstances.
Correction of the personal information held about you. This enables you to have any inaccurate information held about you corrected.
Erasure of your personal information. You can ask to delete or remove personal data if there is no good reason to continue to process it.
Restriction of processing your personal information. You can ask to suspend processing personal information about you in certain circumstances, for example, if you want to establish its accuracy before processing it.
To object to processing in certain circumstances (for example for direct marketing purposes).
To transfer your personal information to another party.

If you want to exercise any of the above rights, please contact the Company’s data protection officers, Judicium Consulting in writing by emailing dataservices@judicium.com.

The Company may need to request specific information from you to help confirm your identity and ensure your right to access the information (or to exercise any of your other rights).

13. Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact marketing@schoolbusinessservices.co.uk. Once notification has been received that you have withdrawn your consent, the Company will no longer process your information for the purpose or purposes you originally agreed to, unless there is another legitimate basis for doing so in law.

14. How to raise a concern

The Company have appointed a data protection officer (DPO) to oversee compliance with data protection and this privacy notice. If you have any questions about how your personal information is handled which cannot be resolved by the Company in the first instance then you can contact the DPO on the details below: -

Data Protection Officer: Judicium Consulting Limited

Address: 72 Cannon Street, London, EC4N 6AE

Email: dataservices@judicium.com

Web: www.judiciumeducation.co.uk

You have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues.

15. Changes to this Privacy Notice

The Company reserve the right to update this privacy notice at any time and will provide you with a new privacy notice when making any substantial updates. The Company may also notify you in other ways from time to time about the processing of your personal information.

If you would like a copy of this privacy notice translated into another language, please email feedback@schoolbusinessservices.co.uk

Download now! ➝

Revised 24 May 2018, audited under ISO 14/12/2018, updated 10 August 2021

Affordable budgeting software for MATs & schools

Financial Planning Software

Services

Other Services