Note to parents / carers: This privacy notice explains how we collect, store and use personal data about your child. There is a separate privacy notice relating to the processing of parent or carer personal information.
This letter explains how we use information about you and what we do with it.
We call this information about you ‘personal data’ or ‘personal information’
Under the law, people have a right to be informed about how school uses any information we collect about them. This ‘privacy notice’ tells you how we use your personal data.
If you find this letter difficult to understand, you can ask your parents or another adult such as your teacher to help you understand it.
In this document the Trust and its schools, whether alone or in groups, are referred to as ‘we’ or “our” Parents or Pupils are referred to as “you” or “your”.
Much of the information we collect is labelled as ‘personal data’ and our use of it is covered by a set of rules called the UK General Data Protection Regulation (UK GDPR). These rules were brought into UK law under the Data Protection Act 2018 following the EU GDPR regulation, which was updated following the UK’s status post Brexit in January 2021.
This document tells you more about:
- The information we collect
- What we use the information for
- How your information is stored and how long we keep it
- What rights you have to the information
Who processes your information?
Ark Schools is a multi-academy trust and the organisation who is in charge of your personal information. This means that Ark Schools is called the ‘Data Controller’. The postal address for Ark Schools is The Yellow Building, 1 Nicholas Road, London, W11 4AN.
If you have any queries about how we use your personal information, you can contact Ark Schools’ Data Protection Officer (DPO) by emailing email@example.com or by post using the address above.
Each school within the trust has a dedicated Data Protection Lead who supports Ark’s DPO with managing breaches, Subject Access Requests, and Freedom of Information requests and can be contacted by emailing your school. Alternatively, you can speak to them in school, or leave a letter at reception or send one by post.
Your data may be shared with third parties, where it is necessary for us to do so and we have a lawful basis to do so.
Why do we need your information?
We have the legal requirement, a contractual obligation, and a legitimate interest to collect and process your personal data. We use your personal data for some, or all, of the reasons below:
- Supporting your learning
- Monitoring and reporting on your progress
- Providing appropriate care for you
- Assess the quality of our services
- Keep children safe (food allergies, or emergency contact details)
- Comply with the statutory duties placed on us by Department for Education (DfE) data collections
We have lawful reasons for having this information which means we do not usually need your consent (permission) to use this information. Sometimes we may want to use your data differently and, in these cases, we may need to gain your consent. We will ask your parent or carer for consent, and they can change their mind at any time.
The lawful basis on which we process this information
- Article 6 1(a) of the GDPR which allows processing with your consent
- Article 6 1(b) of the GDPR which allows processing that is necessary for the performance of a contract
- Article 6 1(c) of the GDPR which allows processing that is necessary to comply with a legal obligation
- Article 6 1(d) of the GDPR which allows processing that is necessary to protect vital interests
- Article 6 1(e) of the GDPR which allows processing that is necessary in order for the school to function
- Article 6 1(f) of the GDPR which allows processing that is n our legitimate interests
- Article 9 2(b) of the GDPR which allows the processing of special category data that is necessary for carrying out obligations in the fields of employment and social security and social protection law
- Article 9 2(g) of the GDPR which allows the processing of special category data that is necessary for reasons of substantial public interest
- Article 9 2(j) of the GDPR which allows the processing of special category data when it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
The processing of personal data and identifying the relevant lawful basis of processing this data is reviewed as part of our efforts to adhere to the principles of data protection.
Storing your data
Some of the personal data we collect, and use, is added to your School Record. This record is kept whilst you are enrolled in an Ark school. If you leave the school, then the record will be transferred to your next school or transferred to the Local Authority for storage. Other data that we collect from you will be stored in paper files, on cloud-based information management systems, cloud storage and sharing facilities, or on local file servers.
In accordance with data protection legislation, data is only retained for as long as is necessary to fulfil the purposes for which it was gathered, and not kept indefinitely. Some personal data is kept for different lengths of time, for example.
- Records of admission to the school are kept permanently. We do this as pupils often ask us to confirm the dates, they attended the Academy
- Correspondence about a child’s absence is kept for the current year and 2 years afterwards
- Records of your visits to schools are kept for the current year and 6 years afterwards
We have a policy which explains how long we keep information and is called the Data Retention and Disposal policy and you can ask for a copy by emailing firstname.lastname@example.org.
Transfer outside of the European Economic Area (EEA)
We do not normally transfer your information to a different country outside the United Kingdom or EU (these countries together are called the EEA). However, some of our external third-party support partners are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented, including:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission
- Where we use certain service providers, we may use specific contract clauses approved by the European Commission which give personal data the same protection it has in Europe
What are your rights?
You and your parents or carers have the right to do the following:
- You can ask us for a copy of the information we have about you. This is called a ‘Subject Access Request’
- You can ask us to correct any information we have about you if you think it is wrong
- You can ask us to erase information about you (however, we will provide you an explanation where this is not possible)
- You can ask us to limit what we are doing with your information
- You can object to what we are doing with your information
- You can ask us to transfer your information to another organisation in a format that makes it easy for them to use
There is more information in our Data Protection Policy which can be found on our website here or you can ask for a copy in school.
Ark Schools aims to comply fully with its obligations under the UK GDPR. If you have any questions or concerns regarding Ark’s management of personal data, please contact Ark’ Data Protection Officer using email@example.com who is responsible for ensuring Ark Schools is compliant with the UK GDPR.
If you feel that your questions or concerns have not been dealt with adequately on any data protection matter, please get in touch with us and the matter will be escalated to our Director of Governance. If you remain unhappy with our response or if you need any advice, you can contact the Information Commissioner’s Office (ICO). Please visit their website (www.ico.org.uk/concerns) for information on how to make a data protection complaint.