The BSA Group comprises entities owned all or in part by the BSA Group Services Limited, a company registered in England and Wales with registration number 4676107 and whose registered office is at 167-169 Great Portland Street, 5th Floor, London, W1W 5PF.

BSA Group comprises BSA (Boarding Schools’ Association), BAISIS (British Association of Independent Schools with International Students)HIEDA (Health in Education association)SACPA (Safeguarding and Child Protection Association) and TIOB (The Institute of Boarding). BSA Group champions excellence in boarding and safeguarding and delivers services for more than 1,600 organisations and individuals in 40 countries worldwide.

We take our responsibility as a data controller seriously and are committed to using the personal data we hold in accordance with the law.

This privacy notice provides detailed information about how we process personal data. Please read it carefully and, if you have questions regarding your personal data or its use, please contact The BSA Group via by telephone on +44 (0)207 798 1580, or by post at 167-169 Great Portland Street, 5th Floor, London, W1W 5PF.


The BSA Group processes personal data about prospective, current and past member and non-member organisations and individuals; staff and volunteers within these organisations; The BSA Group staff; training providers/contractors; information about individuals provided to us by organisations and individuals connected to members organisations.

The personal data we process takes different forms – it may be factual information, expressions of opinion, images or other recorded information that identifies or relates to a living individual. Examples include:

  • Names, addresses, telephone numbers, email addresses and other contact details
  • Images, audio and video recordings
  • Financial information (bank details)
  • Courses, meetings or events attended.

As an employer, The BSA Group needs to process criminal records information about individuals, particularly staff and contractors. We do so in accordance with applicable law, including with respect to safeguarding or employment, or by explicit consent.


The BSA Group collects most of the personal data it processes directly from members (in some cases directly from staff members and volunteers). We also collect data from third parties (working references, professionals or authorities) or from publicly available resources.

Personal data held by The BSA Group is processed by appropriate members of staff for the purposes for which the data was provided. We take appropriate technical and organisational steps to ensure the security of personal data about individuals, include secure use of technology and devices and access to our online systems. We do not transfer personal data outside of the European Economic Area unless we are satisfied that the personal data will be afforded an equivalent level of protection.

Some of our systems are provided by third parties, such as Microsoft Office suite and cloud storage, the The BSA Group websites, The BSA Group newsletters and mailings, and independent cloud storage providers. This is always subject to contractual assurances that personal data will be kept securely and only in accordance with our specific directions.

The BSA Group does not share or sell personal data with other organisations outside of the group without permission.


The BSA Group processes personal data to support its function of supporting excellence in boarding, safeguarding, inclusion and health education in the UK and internationally.

  • Names, email addresses, phone numbers and addresses of key contacts of member organisations for membership changes, updates and payments
  • Names, email addresses, phone numbers and addresses (where shared) of attendees of events and training (both current and previous) to provide information on similar training or events
  • Email addresses of contacts within member organisations for The BSA Group newsletters (opt-out option for this is always available)
  • Staff administration (including recruitment and contractors) for payroll, pensions, sick leave, annual leave, review and appraisals of performance, grievance conduct, capability or disciplinary procedures, providing references
  • Use of images supplied by member organisations for the promotion of The BSA Group on the The BSA Group website, social media, print content and presentations
  • Contact details for organisations and associations that work in conjunction with The BSA Group across all sectors relating to safeguarding and child protection, boarding, education, health and wellbeing
  • Names, email addresses, phone numbers, addresses where shared) and dietary requirements of individuals who have booked on to The BSA Group training programmes and events in order to register, share information relating to the event(s), share resources, keep a record of attendance and cater to individual dietary/special needs
  • Names, email addresses, phone numbers, addresses (where shared) of individuals who have booked on to The BSA Group training programmes and events in order to update/share information on future events that may be of interest
  • Names, email addresses, phone numbers, addresses (where shared) of individuals who have booked on to The BSA Group training programmes and events to share with sponsors/advertisers.
  • Sharing of social media posts from member organisations through The BSA Group networks (retweeting, sharing).

The processing set out above is carried out to fulfil our legal obligations (including staff employment contracts).


The BSA Group retains personal data only for legitimate and lawful reasons and only for so long as necessary and/or required by law. Staff records are retained for seven years for purposes of providing references if requested.

Details of staff from membership organisations are updated yearly/as requested. Staff who have left their organisation/association are removed from our contact list when notified unless they request to continue to receive information.


Under Data Protection Law, you have the right to access and understand the personal data held about you, and in some cases, to ask for it to be erased or amended, or for us to stop processing it, subject to certain exemptions and limitations.

You always have the right to withdraw consent, or otherwise object, to receiving generic communications. Please be aware however that Hieda may have another lawful reason to process the personal data in question, even without your consent. This usually relates to staff records (time worked with The BSA Group, HR purposes and reference requests).

If you would like to access or amend your personal data; would like it to be transferred to another person or organisation; or have some other objection to how your personal data is used, please make your request in writing to:

The Chief Executive, 167-169 Great Portland Street, 5th Floor, London, W1W 5PF.

We will respond to any such written requests within a reasonable timeframe and within statutory time-limits, which is one month in the case of requests for access to information. We will be able to respond quickly to targeted requests for information. If the request is manifestly excessive or similar to previous requests, we may ask you to reconsider or charge a proportionate fee, but only where Data Protection Law allows.

You should be aware that certain data is exempt from the right of access. This may include information which identifies other individuals, or information which is subject to legal privilege. We are also not required to disclose any confidential reference given by The BSA Group for the purposes of the education, training or employment of any individual.


The BSA Group tries to ensure that all personal data is held in relation to an individual is as up to date and accurate as possible. Please notify of any changes to information such as contact details.


Our privacy notice should be read in conjunction with our other policies and terms and conditions which make reference to personal data.

The BSA Group will update this Privacy Notice when required. Any substantial changes that affect how we process your personal data will be notified on our website, and to you directly as far as practicable.

If you feel we have not complied with this policy or have acted otherwise than in accordance with Data Protection Law, you should notify the Director. You can also make a referral to, or lodge a complaint, with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with us before involving them.