IB Schools and Colleges Association

Privacy Statement

Who we are

It’s important that you know who “we” are. “IBSCA Ltd”, “IBSCA” is a company registered in England (no. 05964097). We are a membership organisation for schools that offer the International Baccalaureate programmes. IBSCA aims to support its member schools to deliver the programmes, advocate for the IB qualifications with universities and governments, and represent its members to the IB. We contract with Oxford Course Managers for administrative support for our events and other services.

Where we refer to the ‘IBSCA website’, it means any one of IBSCA’s sites. We currently have a site at ibsca.org.uk.

More information about IBSCA can be found at https://ibsca.org.uk/about.

How to contact us

For all questions, comments and requests regarding this Privacy Statement, or anything else, you are welcome to contact us:

  • by sending an email to: office@ibsca.org.uk
  • by post to: Belsyre Court, 57 Woodstock Road, Oxford OX2 6HJ, UK
  • by phone: +44 (0)1865 988 752 (via our administrative services supplier, Oxford Course Managers)

Why do we need any of your personal information?

In line with the General Data Protection Regulations (GDPR) we will only ask for and use personal information where there is both a purpose and a legal basis for doing so.

If you’re just taking a look at IBSCA and what we offer, then there’s no need to provide us with any information about yourself.

There are a number of valid reasons that we might request and use your personal information, such as:

  • you have contacted us to get a better understanding of IBSCA and the services we offer, and you provide us with information about yourself to allow us to give you more specific answers to your questions;
  • you are a potential customer, employee, supplier or business partner, and it is legitimate to believe that you have an interest in IBSCA and the products and services we provide. This means we might contact you about IBSCA using the information we hold, for example we let staff and teachers in schools know about our courses on this basis;
  • you are already a customer, employee, supplier or business partner, and in order to fulfil the terms of the agreement we have with you we need certain information which we will store and use;
  • you have given your consent for us to contact you or send you information, in which case we make it clear at the time you provide your details how we will use them. If you are a student, although you are legally able to give consent for the use of your own data, we may also obtain your parent or guardian’s consent before we use your information if we feel that your parent would want to give or withhold their consent.

What types of information to we collect and how is it used?

The types of information that we collect depend on what relationship you have with IBSCA and how you interact with us. To fully understand the basis on which we process your data, we have assessed the different ways we do this to check that it is legitimate and fair.


If you contact us or we contact you, whether by phone, email, post, live chat or enquiry form on our website, we may keep a record of that correspondence. Where appropriate, we may take correspondence received in one form and store it in another. Likewise where you have given more than one way to reply to you we may choose the most appropriate method. For example, if you phone us then we may record details of the conversation in our contact management system and send you information you request by email.

The types of data we record include your name, who you are, contact information, and the correspondence itself. We may also keep associated notes or process the information, combining it as necessary with any information that we already legitimately hold, and store the result of any assessment or analysis or decisions made.

Browsing the IBSCA website

Providing personal information on the IBSCA website is optional. However, you should note that information is transmitted by your web browser, the web infrastructure and the web server, in order for pages to load in your browser. Some of this data is logged and could potentially be used to identify you as an individual, and because it happens behind the scenes you may not know what it is and how it is used. As this is quite technical, we have a section ‘Using our website’ to tell you more about this.

Using the IBSCA website

Certain features of the OCM website work better, or only work, when you provide information about yourself:

  • to create and manage your personal login for the IBSCA website and ‘remember’ your online profile requires your email address and will additionally retain any further information you give in order to personalise your website browsing to your interests. This includes access to any areas of the site which are only available to course participants;
  • ‘live chat’ functions do not require your contact information unless you would like a copy of the conversation sent to you. We will store a copy of the chat for future reference which will include any personal information you have provided;
  • we may invite you to enter a competition, take part in a promotion or ask you to complete a survey on our website or on a client’s or third party’s website, but these are voluntary. If we use a third party provider we will ensure that our agreement with them does not give them the right to use any personal information we provide for any other purpose. We will use your answers for research purposes with the ultimate aim of providing the best services and resources to our customers.

Subscribing to newsletters and updates

As we develop our services you have the option to subscribe to different types of information from IBSCA according to your interests. You can opt in to these communications by phone, in person (e.g. at one of our events), by email or through our website. We give you detailed choices so you only get messages about things you are actually interested in.

Any newsletters and updates that you subscribe to are generally fulfilled via email and we will use the email address you provide along with the interests you have told us about in order to do this.

Each communication you receive contains a link to manage your preferences, where you can opt out of things you no longer want to hear about, or opt in to new ones, or unsubscribe from everything. It is important to know that if you use the “unsubscribe” link in an email you receive, this will clear all your opt-in preferences, not just for the type of message you clicked the link in.

Note that we may need to communicate with you about other things, for example if you enroll on a course, and using your contact details for this purpose is treated separately.

General marketing

IBSCA will send marketing information to people who have expressed an interest in knowing about specific products. This is generally sent by email therefore we will use an address that you have provided for this purpose along with the interests you have told us about. As with newsletter and update emails from IBSCA, each message contains a link for you to manage your preferences.

We also send some marketing information, primarily to schools, agents and teachers in particular roles, where we believe there is a legitimate interest in you receiving it. This may be by email or in printed form. You can contact us to request that we not do this.

Purchasing products via the IBSCA website

If you decide to purchase products from us, then we will ask you for personal information so we can

  • process your order;
  • obtain payment for purchases through the site (via payment card or other financial means);
  • carry out our obligations arising from any contracts entered into between you and us;
  • contact you in the event of any problems with the delivery of items you have ordered from us;
  • keep an order history so we and you can see past purchases;
  • contact you for feedback on the products you ordered and/or our customer service;
  • conduct statistical analysis that does not require personally identifiable information, but helps us to identify improvements to our services.

Enrolling on an event

We require you to provide information about yourself when you fill out an application form for a course so that we can process your application. While the form is ordinarily completed online, we may receive information from you by email, post, fax or telephone, all of which will be stored in our booking system and processed together.

If you start, but do not complete, an application for one of our courses then we may:

  • store all of the information you have provided so that you can return to the application at a later date;
  • use the information you have provided in the application form to contact you to see if you need more information or other assistance to complete the application, or to know if you have changed your mind.

To submit a completed application we may collect and process the following data about you, the applicant:

  • your name and address;
  • your contact details to answer your queries and to inform you of updates to your application and to let you know about new or changed services;
  • your nationality, your school, your subjects and level;
  • your gender, for practical considerations when attending the course especially where accommodation is provided;your date of birth which we use as part of how we identify you and to validate that you can legally use some or all of our services;
  • previously-supplied information, for example if you have an existing website login profile or if you have attended a course or made purchases from us in the past;
  • personal information about your health, dietary or any other conditions or requirements that we would need to be aware of if you attend a course;
    other information about you necessary for us to accept your application and to fulfil the agreement entered into between you and us;
  • a record of your agreement to the terms and conditions for your course when submitting the application;
  • information required (and your parent’s information if appropriate) to determine any discount entitlement;
  • payment card or other financial information needed to process fees;
  • any of the information we collect may be used to undertake statistical analysis, which is generally on aggregated information, that helps us to operate and market the courses more successfully.

Prior to or during your attendance on a course, we may collect and process further data, including:

  • to provide any third party involved in the management or delivery of our courses with relevant information about course participants to enable them to fulfil their obligations, for example to provide internet access by wifi, or if the course venue requires participant lists for security purposes;
  • your photograph when you register for your course in order to identify you for security purposes or in case of emergency;
  • your photograph or likeness while you are participating in courses or course activities which we may share via social media or use in our marketing material, subject to your consent to such uses;
  • your mobile number to send text message notifications where you have requested them. We don’t use text messages for marketing purposes. We may use your mobile number to contact you by phone or text while you are attending a course with us if we need to contact you urgently;
  • information to allow you to participate in any online services provided as part of a course;
  • the collection of feedback on class content and teaching to improve your course experience;
  • to manage your attendance and participation on the course or extra-curricular activities including to record and process details of attendance, incidents, wellbeing or sickness, and financial transactions.

After completion of your course, we will retain some information as may be necessary for business, accounting or legal purposes, such as:

  • we may contact you after your course to get your feedback in order to improve our events and customer service;
  • we may contact you after your course with information about future events that we legitimately believe would be of interest to you based on the event you attended;
  • logs of medical or other incidents occurring during the course;
  • financial records of transactions.

Managing our suppliers and other business relationships

If you are a supplier to IBSCA or other business partner, we will collect, store and process data about the interactions we have with you and this will include relevant personal information about individuals. The types of personal information we process and the purposes include:

  • name and contact details that enable us to communicate with you, including for general correspondence and to maintain the relationship, to notify you about changes to our services that will affect you, or to send marketing materials such as newsletters and catalogues where this is relevant;
  • details of any contracts that you enter into with us, including non-disclosure agreements;
  • storing and using any information necessary to carry out our obligations arising from contracts entered into between you and us, including sharing relevant information with third parties contracted in connection with the services;
  • carrying out business or credit checks to manage your account that may refer to or identify individuals, depending on the type of business;
  • carrying out or requiring evidence of Disclosure and Barring Service (DBS) or similar checks where needed to provide a service to IBSCA;
  • recording and maintaining financial records of transactions to create an account history as well as for accounting, tax and legal purposes;
  • analysis of financial transactions and evaluation of contracts in order to manage them effectively, find where improvements can be made, or to identify irregularities for investigation.

Information from third parties

We use third parties to collect data on our behalf to support our activities.

We also on occasion ensure our records are as up to date as possible through running address and detail verification checks through sources that are deemed acceptable by the Information Commissioners Office.

Do we profile you?

We conduct broad data analysis to gain a better understanding of how interests, demographic factors, geography and engagement trends relate to the relevance or attractiveness of our products and services. This process looks at aggregated data, and is applied to groups of people with similar characteristics.

IBSCA may use the personal data you have provided to make sure we only contact you when relevant and about things that ought to be of interest.

We do not use entirely automated profile-based decision-making which could have an adverse effect on you.

Who do we share your data with?

We do not sell your personal information to anyone.

We share your information with third parties when they are acting on our behalf, under a specific agreement. Much of our administrative work is done by Oxford Course Managers. They are a data processor for ISBCA and are contracted to provide the same level of data control as IBSCA itself provides. IBSCA audits the data processes of Oxford Course Managers.

We will not share your data with third parties to use for their own purposes unless we are required to do so by law, for example by a court order or for the purposes of prevention of fraud or other crime. We share your personal information with marketing companies only where they are acting contractually on our behalf. These companies are not given any rights over your data other than those necessary to fulfil the service IBSCA has requested.

When you opt in to receiving information, updates or subscriptions by email from IBSCA, MailChimp is the service used to manage your consents. When you provide your details on a sign-up form, MailChimp records your information and IBSCA has access to it. If we obtain your request for updates by a different means, such as by phone or in writing, then we will upload the information to MailChimp in order to contact you.

IBSCA may contact you on behalf of other linked organisations such as the IB Organisation if it is relevant to do so based on the interests you have specified, but unless we have gained your specific consent we will not pass your details to those third parties.

What if you don’t want to provide any personal information?

Information about the courses we support is freely available and does not require you to tell us who you are or anything else that identifies you. This is the same whether you look at our website, start a live chat with us on our website, call our office, or talk to us at a conference, school visit, or other event.

If you contact us by email, complete an enquiry form, or request a call-back, then you will obviously need to provide us with contact information so we can respond to you. Similarly, if you contact us about something specific then it may be necessary for us to ask for information to provide an answer. In these cases, it may then be necessary to store the information for later reference and we will let you know if we are going to do so; if you do not give consent then it will mean that the information cannot be referred to or relied on later.

We do have some features on our website where we will need some information about you, and if you prefer not to give any details then those features won’t be available to you. If you block cookies or analytics services in your browser, you can still use the IBSCA website but you will not be able to carry out certain actions such as purchasing revision guides, registering for updates, or applying for a course.

What if someone else provides us with information about you?

There can be circumstances where someone else provides us with personal information about you or you provide us with personal information about someone else. For example:

  • If you’re a teacher and an administrator at your school is applying for you to attend an IBSCA event then they will need to provide information about you such as name and email address. Though these are connected to one application, everyone is treated as an individual and we will acknowledge to each person that we have been given information relating to them and provide details about how to contact us regarding any data issues or requests.
  • Where we operate an event in a school, the school may need to provide us with information about the individuals who will attend, ranging from names and emergency contacts to any medical or other conditions that IBSCA staff need to be aware of. Consent for this provision of information is obtained by the school and governed by a contract in place between IBSCA and the school which sets out our obligations to protect and keep confidential such data. Where we work with other organisations on the same basis, similar arrangements will apply.

IBSCA may be given legitimate access to personal information for marketing purposes, for example by sponsoring an event we may receive an attendee list, or through membership of an association we may receive a member directory. We do not purchase general mailing lists or lists of teachers for marketing purposes.

We may work with other relevant organisations who contact you about IBSCA on our behalf but we will not be provided with your email address or other information in these cases unless you have given your consent to that organisation to share it.

What about Social Media?

IBSCA has social media accounts with Facebook, Twitter, LinkedIn and others. Signing up to use a social media service requires agreement to that provider’s terms which set out the provision of privacy and rights.

We post information and photos to our social media accounts, and this may include images of course locations including participants. If you attend one of our events, we will request your consent before posting photos of you on our social media sites, however if you are not easily identifiable you may appear in photos whether or not you give this consent. We cannot prevent other people sharing photos in which you appear or information about you on social media, whether posted or tagged to our account or someone else’s, but as far as we can we will delete, block, or report unwanted or inappropriate content about you if you request it.

Through these social media, we may receive, or have access to, information about you that you have shared publicly, to a group of people, or to us directly. We apply the same principles and controls to information that we use from such sources as we would if it was provided directly by you, including whether IBSCA should gather, store or use that information at all.

What are your rights?

The GDPR states that individuals retain ownership of their own personal information and sets out a number of fundamental rights when organisations use it.

When you consent for us to contact you for marketing purposes, we make sure this is freely given, specific and unambiguous so you know what you are opting in to. You can withdraw this consent at any time and we will provide a means for you to do that every time we email, call or write to you.

You also have the right to:

  • change your communication preferences;
  • request a copy of the information we hold about you;
  • update or amend the information we hold about you if it is wrong;
  • ask us to not process your personal information in certain ways;
  • ask us to remove some or all of your personal information from our records (except where there is a legal requirement, or other legitimate grounds, to keep it);
  • raise a concern or complaint about the way in which your information is being used.

If you are unsure and have further queries on how we might use your data, please get in touch and we will be happy to answer your questions. See the ‘How to contact us’ section.

How do you update or delete your information?

If you would like to change your preferences or update the details we hold about you, please contact us.

We also set limits to the length of time we will keep your data. The duration varies for different types of individual and for different types of information provided by the same person.

We take into consideration what purpose IBSCA needs your information for, our legal obligations, and tax and accounting rules, when determining how long we should retain data. When we no longer need to retain it we have a process to securely delete or dispose of it.

If you feel it is no longer necessary for us to keep your personal information, you can ask us to delete some or all of it, which we will do provided there is no overriding reason for us to keep it.

If you choose to opt out of receiving communications from us, we may still need to retain and process relevant data about you for other legitimate purposes, including contacting you for those purposes. For example, you may unsubscribe from update emails, but we may need to email you about an order you have placed with us.

Where is your personal data stored?

The data that we collect from you may be stored digitally or on paper either within our office systems within the UK or on data servers which are located in the European Economic Area (“EEA”). Where we use internet hosting or cloud providers, we select locations in the EEA.

We currently only operate within the EEA. If in future we operate outside the EEA your data may be transferred from one place to another including outside the EEA. It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers or affiliates. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services.

These countries may not have similar data protection laws to the UK, however we take steps to make sure they provide an adequate level of protection and any transfer of your personal data outside the EEA will be carried out in compliance with applicable laws.

By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA

How is your personal data protected?

Whether we store your information on paper or in digital format, we take measures to protect it. The exact mechanisms for securing our systems are themselves kept confidential, however we can say that: 

  • our offices are kept secure and sensitive paper documents are in locked storage;
  • we use security measures in our IT systems reflecting technological progress and developments, applying good practices to our network security, virus/malware detection and prevention systems, access controls and encryption;
  • we avoid where possible allowing data to be taken outside our normal protected systems, such as on USB removable storage media;
  • we undertake reviews of the type of information we process and who has access to it;
  • we give training updates to our staff on security procedures and how to avoid accidental disclosure through scams, phishing or social engineering techniques.

Some of the common risks to security are at the user level. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping that password confidential. We ask you not to share the password or use the same password for more than one website.

For card purchases we work via our administration provider with an authorised payment agent that helps us to check directly with your bank that the card is valid for purchases. The payment agent processes your card details according to the international security standard PCI DSS, which was developed by the card companies VISA, MasterCard, Diners, American Express and JCB. This means that your card details are processed with a very high level of security. When you pay by card, we reserve the right to carry out an identity check.

Unfortunately, even after following good practices, the transmission of information via the internet is not completely secure. We will do our best to protect your personal data, but we cannot guarantee the security of your data transmitted to our website or sent by email, and any transmission is at your own risk.

Using our website

If you are using IBSCA’s website and register for updates or other services, you will be asked to provide personal information such as your name, e-mail address, whether you are a teacher, administrator or other, and your location (including postal address if relevant). This information is collected only with your knowledge and permission, and is help is secure databases. If you are purchasing something from us, you may be asked to provide your credit card details which are stored temporarily to process the transaction but not permanently.

Leaving comments or joining online discussions will mean that other people visiting the same pages will see personal information that you have volunteered. This information may require someone to be registered with us, or it may be public. You should therefore use discretion in what you disclose.

The information gathered during general browsing of IBSCA’s website may be used to analyse trends and usage of the site and to improve the usefulness of the site, as well as to identify or prevent improper use. It is not connected with any personal information.

Server logs

Server logs may record your IP (Internet Protocol) address, domain name, browser type, operating system, and information such as the web site that referred you to us, the files you downloaded, the pages you visit, and the dates/times of those visits. IBSCA does not try to identify individuals from the server logs without the consent of the individual (for example if a website user was experiencing technical difficulties that we had to investigate).


A cookie is a small text file saved to, and, during subsequent visits, retrieved from your computer or mobile device.
IBSCA’s website uses cookies to provide data or functionality that help us to give you the best experience while you are browsing as well as to review usage and make further improvements. Wherever possible, the information we use for this purpose will be aggregated or anonymised i.e. it will not identify you as an individual visitor to our website.

  • By continuing to use our sites without changing settings, you are agreeing to our use of cookies.
  • You can disable cookies if you prefer, but if you choose to do so you will not be able to take advantage of all features of the website.
  • You can erase cookies from your computer or mobile device using your browser once you have finished browsing. Your browser “Help” pages have instructions on how to manage cookies.

Third-party cookies and analytics

We use third-party services that collect statistics in aggregate form to provide analysis tools.

IBSCA may use Google Analytics, which tracks website visitor behaviour so that we can measure performance and improve services for our audiences. This service uses tracking codes which can follow you across different websites, but IBSCA does not receive personally-identifiable information as all data reported is anonymous. For full details on how Google Analytics works, please see the Terms of Service (https://www.google.com/analytics/terms/gb.html). If you do not want Google Analytics to use your data, then a browser add-on is available (https://tools.google.com/dlpage/gaoptout/).

IBSCA email communications are handled by OCM who uses MailChimp for email communications, which uses similar tracking tools to enable us to know whether a message has been opened, whether it resulted in the reader responding to the email by visiting a link, or if it resulted in a purchase. This helps us to make sure our communications are interesting.


Our website includes links to other websites outside our domains and which do not fall under our supervision. We cannot accept any responsibility for the protection of privacy or the content of these websites. We offer these links only as a suggestion to make it easier for you to find more information about related subjects.

More about GDPR and compliance

We take our responsibilities very seriously in ensuring the personal information we obtain is held, used, transferred and processed in accordance with the GDPR. We also adhere to all other applicable data protection laws and regulations including the Privacy and Electronic Communication Regulations.

As a UK-based organisation, IBSCA’s use of data is regulated by the Information Commissioner’s Office which is the independent authority set up to uphold information rights. The ICO’s website is an official source where you can learn more about the regulation and your rights, and can be found at https://ico.org.uk/.

IBSCA is the Data Controller for information submitted by you to IBSCA via our websites, by email or post, by phone, at events, or through any other direct interaction with IBSCA relating to IBSCA’s own courses and products. That means we determine the purpose of the storage or processing of personal information.

Where IBSCA provides services on behalf of another organisation, that organisation will be the Data Controller but IBSCA will act as Data Processor in order to undertake those services which may include event management, marketing, sales, or other activities.

Date of issue and changes to this policy

This Privacy Statement was issued on 16 May 2018.
We may update this Privacy Statement from time to time. Any changes we may make to this Privacy Statement in the future will be posted on our website at https://ibsca.org.uk/privacy and, where appropriate, notified to you by e-mail.