In relation to the website:  (“the Site”).

Owner: Institute of School Business Leadership under company number 3425492 (“we/us”).

Customer services: [email protected]

Postal address: 53 Butts, Coventry, West Midlands CV1 3BH


The Institute of School Business Leadership (ISBL) succeeded NASBM in November 2017. ISBL aims to provide the sector with confidence in the school business leadership community through a framework of qualifications underpinned by Professional Standards linked to membership categories and practitioners with the professional recognition and status they deserve. 


Use of Your Data

We take data privacy very seriously. We have set out below the uses to which we will put the information that we have about you in the delivery of the Services, and the legal basis for this, as well as introducing the rights that you have over the way that we use your information. This policy should be read in conjunction with our Policy Manual.

For the purposes of the General Data Protection Regulation (“GDPR”) and any subsequent UK legislation covering data protection, we are the data controller (the entity which processes your data). All queries relating to this policy and/or data protection more generally should be referred to          Bethan Cullen of the       Institute of School Business Leadership   at [email protected]

The information collected about you might include the following:-


Personal Data

  • First name
  • Last name
  • Job title
  • Gender
  • Preferred pronoun
  • Date of birth
  • Email (for login)
  • Address (including billing address)
  • Postcode
  • Photographs which include your image and likeness
  • Access information for events
  • Geo-location data (your geographical location based on your IP address)


(hereinafter together, “Data”)

The Data is collected when you use our Site and when you sign up and register for membership on the Site.

If you attend our events, Data may also be collected here, as you may find yourself photographed by our official photographers.

We may add any additional Data that we collect subsequent to initial Data collection, to your record.

All Data will be kept private and not shared automatically.  Save as provided for in this Privacy Policy, we will not sell, rent, distribute or disclose your Data without your consent or where required or permitted to do so by law.

We may use the Data that you provide for the following purposes:

    • to deal with your enquiry and, if you apply for membership (including where you are signing up for a free trial) to administer such membership and provide you with the relevant Services which may include:-
    • offering you guidance on career pathways and specialist training programs tailored to school business professionals;
    • inviting you to events;
    • Inviting you to participate in questionnaires, surveys and opinion gathering exercises relevant to school business professionals
    • sending you fortnightly e-bulletins, news updates, policy analysis and briefings; and
    • allowing you to access interactive features, including access to your online portal and our online forums where you can discuss and explore the issues affecting you and other SBM professionals;


    • in relation to events :
    • we may distribute (hard copy) relevant marketing material to the geographical or email address stated in your account, as supplied by you; and
    • we may also include your Data on distribution lists to other attendees and exhibitors at events (where you are also attending).


We therefore ask that you provide us with your business contact details (e.g. your email address, address and phone number at your educational establishment). Please do not supply your personal contact information.

  • to assist you with important procurement decisions through our Approved Partner scheme;
  • to notify you about important functionality changes and alterations to the Site, or offer of products, services or information that might be of particular interest to you (where you have consented to this);
  • for the purposes of marketing our events, Site and Services whether via our website, on stands, billboards or other promotional materials; and/or
  • for research purposes and to help us plan and improve our Services. We may contact you ourselves or ask outside research agencies to do so on our behalf.

(“the Purpose(s)”).

The use of your information for the Purposes is lawful because one or more of the following applies:

    • it is necessary for us to hold and use your Data so that we can perform our obligations under the contract we have entered into with you for the Purpose(s); and/or
    • it is necessary for the purposes of legitimate interests pursued by us in order to market and provide the Site and Services and/or to keep the Site and Services up to date; and/or
    • you have given your consent to these Purpose(s), where the purpose is ancillary to the main Purpose(s) for which your Data is used. You may withdraw consent to these uses at any time either by using the opt-out option (where available) or by emailing us at [email protected] noting that:
    • this will not affect the lawfulness of processing of your Data prior to your withdrawal of consent being received and actioned; and
    • if we have asked for your consent to a specific part of the service and you wish to withdraw this consent, you may not be able to partake in some of our services if you do so.

(“the Lawful Uses”).


Transfer to Third Parties

Your Data may be collected, passed and/or held by the following third parties if you have opted in to permit us to do this, you have registered directly with any of the entities below or we are otherwise legally entitled to do so:-

  • our suppliers in order to facilitate transactions and delivery;
  • our mailing house in order to deliver member mailings;
  • our publishing house in order to deliver the member magazine;
  • any of our Approved Partners;
  • exhibitors or attendees of the same events as you; our customer relationship system, Microsoft Dynamics
  • our email marketing service, MailChimp.


We ensure that any third parties processing your Data on our behalf protect it as carefully as we do and that they provide an adequate level of protection for your rights as a data subject. This may involve transferring your Data to other companies, inside or outside the EU.  However, use of your Data will be subject to each of the above party’s Privacy Policy, so please ensure that you familiarise yourself with these policies, details of which should be available on each of their websites, should you wish to know how your data is being processed by them.

Your information may also be transferred to another company in the event of the transfer of our assets to a third party. In that event, we will endeavour to ensure that your rights and freedoms in respect of the processing of your personal data are adequately and appropriately protected.


Use of Aggregated Data

Where Data can be aggregated (and anonymised), we may use this without restriction for research purposes.

For example, we may monitor customer traffic patterns, Site and Services usage and related information in order to optimise users’ usage of the Site and Services and we may give aggregated statistics to a reputable third-party.

We are entitled to do this because the resulting data will not personal identify you and will therefore no longer constitute personal data for the purposes of data protection laws.


Storage of Data

Your Data will be stored only for so long as is reasonably necessary in order to carry out the Purpose(s).  Where your Data is no longer required, we will ensure it is disposed of in a secure manner.


Your rights

You have the right to request details of the processing of your Data by making a subject access request. Such requests have to be made in writing. More detail about how to make a request and the procedure to be followed can be found on the ICO’s website.

You also have the following rights:

  • The right to request rectification of information that is inaccurate or out of date;
  • The right to erasure of your Data (known as the right to be forgotten);
  • The right to object to the way in which we are dealing with and using your Data;
  • The right to restrict the processing of your Data; and
  • The right to request that your Data be provided to you in a format that is secure and suitable for re-use (known as the right to portability).


All of these rights are subject to certain safeguards and exemptions, more details of which can be found on the ICO’s webpage.  To exercise any of these rights, you should contact Bethan Cullen of the Institute of School Business Leadership at the above email address.

If you are not happy about the way in which we have processed or dealt with your Data, you may file a complaint with Information Commissioner’s Office.

More detail about how you may do so can be found here.


Transfers outside of the European Economic Area

We may send your Data outside of the European Economic Area (EEA). We do this because your Data may be stored on servers based outside the EEA. However, we meet our obligations under the relevant legislation by ensuring that your Data has the same protection as if it were being held within the EEA. We do this by ensuring that any third party processing your Data outside the EEA either benefits from the EUU.S. Privacy Shield and/or, where appropriate, we have entered into a data processing agreement containing model EU clauses certified by the European Commission.


Security of Your Data

The Site is a UK-based website and takes reasonable care to comply with the requirements of the UK Data Protection Act 1998 (or any other legislation which may replace, supplement or amend it) (‘the Act’) relating to the personal information you supply on the Site.  The Site uses a security system that protects your information from unauthorised use.  However, as no data transmissions over the internet can be guaranteed to be one hundred percent secure, we cannot ensure or warrant the security of any information you transmit to us and you do so at your own risk.

We do not handle payments and cannot store credit or debit card data. When you go to check out, you will be automatically redirected to a secure server managed provided by Worldpay to guarantee your safety. Those servers are PCI/DSS compliant and security-monitored.


Updating your Information

If any of the information you provide when subscribing to the services on the Site changes, please update your profile by logging in or alternatively, please notify [Membership at [email protected]


Accessing your Information

We are data controllers for the purposes of the Act and if you wish to request access to your Information held by us, you may contact Membership at [email protected]


Mailing Lists

If you subscribe to our mailing lists for new release and other information, we also ask you to answer various general questions about yourself. You will be asked to specify the areas in which you are interested so that we can tailor the information which we send to you to cover the new products and special offers which we believe you might be interested in.


If you subscribe to our newsletter and updates sent via email and at any time you wish to stop receiving this or any other information you may have requested from us or any other company, please email or write to [email protected] at the address given for us above or click the Unsubscribe link (if available) at the bottom of any document you receive from us. Please note that unsubscribing from any single communication will then mark you opted out for email communications and you will no longer receive any e-communications from us which will include membership newsletter which are a benefit of membership.


Surveys and user groups

We always aim to improve the services we offer. As a result, we occasionally canvass our customers using surveys. Participation in surveys is voluntary, and you are under no obligation to reply to any survey you might receive from us. Should you choose to do so, we will treat the information you provide with the same high standard of care as all other customer information.



Your participation on our Site may mean that we occasionally contact you with the opportunity to enter competitions. Entry to competitions is voluntary, and you are under no obligation to take up an invitation from us to enter. Should you choose to enter a competition, we will treat the information you provide with the same high standard of care as all other customer information, and use the information provided strictly within the entry terms of the competition and this Privacy Policy.


Links to third parties’ sites

Please note that we do provide links to other sites, which may not be governed by this Privacy Policy and you should view the privacy policy of those sites for further information.


Traffic Patterns/Site Statistics

We may monitor customer traffic patterns, Site usage and related Site information in order to optimise your use of the Site and we may give aggregated statistics to a reputable third-party, but these statistics will include no information personally identifying you.



In addition to the Information which you supply to us, information and data may be automatically collected through the use of cookies. Cookies are small text files the Site can use to recognise repeat users and allow us to observe behaviour and compile aggregate data in order to improve the Site for you. For example, cookies will tell us whether you viewed the Site with sound or with text on your last visit. Cookies also allow us to count the number of unique and return visitors to our Site.  Some of our associated companies may themselves use cookies on their own websites. We have no access to, or control of these cookies, should this occur.

Cookies may be either “persistent” cookies or “session” cookies. A persistent cookie consists of a text file sent by a web server to a web browser, which will be stored by the browser and will remain valid until its set expiry date (unless deleted by the user before the expiry date). A session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

The law states that we can store cookies on your machine if they are essential to the operation of the Site, but that for all others we need your permission to do so.

The list below explains the cookies that we use and why:


Cookie name Description  Duration 
_ga and _gID Registers a unique ID that is used to generate statistical data on how the visitor uses the website. Website stats
_gat Used by Google Analytics to throttle request rate Website stats
 Collect Used to send data to Google Analytics about the visitor’s device and behaviour. Tracks the visitor across devices and marketing channels Website stats
  cc_cookie_accept  Allows the cookie bar to remember you decision  cookie bar
  ASP.NET_SessionId  Allows the site to recognise you to provide a seamless experience for things like member login and form completion Essential system cookie
ISBLAuthCookie This cookie is used by the website to store anonymous session and login tokens. It may identify you as a single user (member) when you move between pages but carry no personally identifiable information. Session

(destroyed when you close your



Essential system cookie to allow ISBL to identify members and display member only content.

__RequestVerificationToken Used to prevent Cross-site Request Forgery (CSRF) attacks. Session

(destroyed when you close your browser)

personalisationGroupsPagesViewed These cookies are used by the ISBL portal (Umbraco) to collect basic user information related to visits such as the pages viewed, number of visits, etc. 3 months
personalisationGroupsNumberOfVisitsSessionStarted Session

(destroyed when you close your browser)

personalisationGroupsNumberOfVisits 23 days
Cookieconsent This is used to remember that the user has accepted the cookie consent popup. 1 year
ASP.NET_SessionId This cookie is essential for the breach notification form – the form that public electronic communications service providers use to notify the ICO of a security breach – to operate. It is set only for those people using the form. This cookie is deleted when you close your browser. Session

(destroyed when you close your browser)

Opting out of cookies

If you do not wish to receive cookies from us or any other website, you should be able to turn cookies off on your web browser: please follow your browser provider’s instruction in order to do so.  Unfortunately, we cannot accept liability for any malfunctioning of your PC or its installed web browser as a result of any attempt to turn off cookies.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit or


Amendments to this Privacy Policy

We may occasionally modify this Privacy Policy.  We will endeavour to notify members in advance of such variations.  However, in any event, including where this is not possible, variations will become effective seven (7) days after posting to the Site, By continuing to use the Site and Services, you will be deemed to accept any such variations.


Privacy Policy, version [2.0] (updated May 2018)