Home » Data Protection

fingers walking up books

Bursary Administration Limited (BAL) has been registered with the Information Commissioner’s Office (ICO) since 13th February 2009 and is currently registered as a Data Controller under the reference Z1647679 and acts either as a Data Controller or a Data Processor on behalf of schools. BAL will make every endeavour to abide by the principles and terms of the Data Protection Act 2018. BAL undertakes to take all possible care to protect Bursary applicants’ (ie the families’) and schools’ sensitive data.

The Registration is renewed automatically and the Data Protection Policy is reviewed in August each year.

BAL undertakes to take all possible care to protect Bursary applicants’ data in line with ICO requirements.


  1. Information is received electronically in two ways: either from schools through Sharepoint, or by email from families. Sharepoint is a secure method of holding electronic information and its availability is controlled within BAL. Information received by email from families will also be stored in Sharepoint. This storage will always be at sites within the UK.
  2. Information received on paper is stored in a named plastic wallet which is stored securely under lock and key.
  3. If original evidence documents are received from families directly these are returned safely at the time of the visit. If this is not possible these documents are returned to the family by ‘Signed-for’ post at BAL’s expense.
  4. If the school requires it BAL will return all evidence documents to the school, whether they are originals or copies, usually by courier (unless otherwise requested).
  5. All electronic information will be stored securely for no more than four years.
  6. BAL stores paper documents for no more than one year and then returns original application forms securely to the schools, shreds copy documents securely using an authorised service, scans its own paper notes, and then shreds these securely using an authorized service. The scans will be held in Sharepoint.
  7. BAL will agree to shred documents before the expiration of one year if expressly requested to do so by families.
  8. BAL will agree to delete permanently all information held regarding families, in any form whatsoever, if expressly requested to do so by families.

Confidentiality and protection of information in transit

  1. All staff are required to sign confidentiality clauses at the time of the commencement of their employment and are expected to abide by these clauses.
  2. It will be understood that BAL staff will need to transport information regarding the application and any evidence documents supplied to meetings with families. Apart from the provisions made at 3. and 4. under ‘Procedure’ above this is the only time the information will leave BAL’s office. BAL staff will take every to care to ensure the security of documents, and any mobile devices, such as laptops or mobile phones, will be password-secured and stored out of sight at all times.
  3. BAL will never release information to a third party outside of the independent education sector.
  4. However, BAL is sometimes requested to share reports between schools to which families may have applied. If this is the case BAL will first gain approval for this in writing (email is acceptable) from families and the schools for which the assessments were originally undertaken.
  5. All reports will be sent to schools through Sharepoint and not emailed. Each school will have its own area within BAL’s Sharepoint site and this will be password-protected.

BAL is contracted to its client schools and accordingly any report it produces is the property of the school concerned, and BAL will not be able to agree to any request to release a report to any party without the express permission of that school.