In this document the Trust and its schools, whether singly or in groups, are referred to as ‘we’ or “our” Parents are referred to as “you” or “your”
Much of the information we collect is classed as ‘personal data’ and our use of it is covered by a set of rules called the UK General Data Protection Regulation (UK GDPR). These rules were brought into UK law under the Data Protection Act 2018 following the EU GDPR regulation, which was updated following the UK’s status post Brexit in January 2021.
This document tells you more about:
- The information we collect
- What we use the information for
- How your information is stored and how long we keep it
- What rights you have to the information
There is a separate privacy notice relating to the processing of your child’s personal information and is available on the school’s website and by request.
Who processes your information?
Ark Schools is a multi-academy trust and the organisation who is in charge of your personal information. This means that Ark Schools is called the ‘Data Controller’. The postal address for Ark Schools is The Yellow Building, 1 Nicholas Road, London, W11 4AN.
If you have any queries about how we use your personal information, you can contact Ark Schools’ Data Protection Officer (DPO) by emailing email@example.com or by post using the address above.
Each school within the trust has a dedicated Data Protection Lead who supports Ark’s DPO with managing breaches, Subject Access Requests, and Freedom of Information requests and can be contacted by emailing your child’s school. Alternatively, you can speak to them in school, or leave a letter at reception or send one by post.
Your data may be shared with third parties, where it is necessary for us to do so, and we have a lawful basis to do so.
Why do we need your information?
We have the legal requirement, a contractual obligation, and a legitimate interest to collect and process your personal data. We use your personal data for some, or all, of the reasons below:
- To support the admissions process
- To support learning for your child(ren)
- To maintain a safe environment for our pupils
- To provide appropriate pastoral care
- To enable you to pay for activities for your child(ren)
- To enable you to pay for school meals for your child(ren)
- To enable free school meals to be provided
- To comply with our legal obligations to share information
- To ensure your health and safety if you visit school
- To keep you up to date with news about the school
We have lawful reasons for having this information which means we do not usually need your consent to use this information. Sometimes we may want to use your data differently and, in these cases, we may need to gain your consent.
The lawful basis on which we process this information
- Article 6 1(a) of the GDPR which allows processing with your consent
- Article 6 1(b) of the GDPR which allows processing that is necessary for the performance of a contract
- Article 6 1(c) of the GDPR which allows processing that is necessary to comply with a legal obligation
- Article 6 1(d) of the GDPR which allows processing that is necessary to protect vital interests
- Article 6 1(e) of the GDPR which allows processing that is necessary in order for the school to function
- Article 6 1(f) of the GDPR which allows processing that is in our legitimate interests
- Article 9 2(b) of the GDPR which allows the processing of special category data that is necessary for carrying out obligations in the fields of employment and social security and social protection law
- Article 9 2(g) of the GDPR which allows the processing of special category data that is necessary for reasons of substantial public interest
- Article 9 2(j) of the GDPR which allows the processing of special category data when it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
The processing of personal data and identifying the relevant lawful basis of processing this data is reviewed as part of our efforts to adhere to the principles of data protection.
Storing your data
Some of the personal data we collect, and use, is added to the School Record for your child(ren). This record is kept whilst they are enrolled in an Ark school. If they leave the school, then the record will be transferred to the next school they attend or transferred to the Local Authority for storage. Other data that we collect from you will be stored in paper files, on cloud-based information management systems, cloud storage and sharing facilities, or on local file servers.
In accordance with data protection legislation, data is only retained for as long as is necessary to fulfil the purposes for which it was obtained, and not kept indefinitely. Some personal data is kept for different lengths of time, for example.
- Records of admission to the school are kept permanently. We do this as pupils often ask us to confirm the dates, they attended the Academy.
- Correspondence about a child’s absence is kept for the current year and 2 years afterwards
- Records of your visits to schools are kept for the current year and 6 years afterwards
We have a policy which explains how long we keep information and is called the Data Retention and Disposal policy and you can ask for a copy by emailing firstname.lastname@example.org.
Access to personal data about your child(ren)
Where your child(ren) is/are under the age of 13 it is usually assumed that they are not able to make decisions about their personal data. That right is usually given to those with parental responsibility. To access the personal data relating to your child(ren) you will need to follow the same procedure as you would to access your own personal data.
If your child requests access to their own personal data, then we will normally refer that request to you for confirmation before releasing any data.
Once your child(ren) reaches the age of 13, in most cases they are assumed to be able to make their own decisions about the use of their personal data. This means that we will not refer any request from a child(ren) over the age of 13 to a person with parental responsibility for access to their own personal data. Similarly, if you wish to make a request for data about your child(ren) who is over 13, we will refer that request to your child(ren) for consent for you to access their personal data.
It is worth knowing that under the terms of the Data Protection Act (2018) parents do not have an automatic right to access information about their child(ren) through a subject access request and we are given one calendar month to respond to these requests.
Transfer outside of the European Economic Area (EEA)
We do not normally transfer your information to a different country outside the EEA. However, some of our external third-party support partners are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented, including:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
- Where we use certain service providers, we may use specific contractual clauses approved by the European Commission which give personal data the same protection it has in Europe.
What are your rights?
You have the right to do the following:
- You can ask us for a copy of the information we have about you. This is called a ‘Subject Access Request’
- You can ask us to correct any information we have about you if you think it is wrong
- You can ask us to erase information about you (however, we will provide you an explanation where this is not possible)
- You can ask us to limit what we are doing with your information
- You can object to what we are doing with your information
- You can ask us to transfer your information to another organisation in a format that makes it easy for them to use
There is more information in our Data Protection Policy which can be found here or you can ask for a copy at your child’s school.
Ark Schools aims to comply fully with its obligations under the UK GDPR. If you have any questions or concerns regarding Ark’s management of personal data, please contact Ark’ Data Protection Officer using email@example.com who is responsible for ensuring Ark Schools is compliant with the UK GDPR.
If you feel that your questions or concerns have not been dealt with adequately on any data protection matter, please get in touch with us and the matter will be escalated to our Director of Governance. If you remain unhappy with our response or if you need any advice, you can contact the Information Commissioner’s Office (ICO). Please visit their website (www.ico.org.uk/concerns) for information on how to make a data protection complaint