Privacy notice for Students aged 13 and Over

In this document the Trust and its schools, whether singly or in groups, are referred to as ‘we’ or “our” Students are referred to as “you” or “your”.

Much of the information we collect is labelled as ‘personal data’ and our use of it is covered by a set of rules called the UK General Data Protection Regulation (UK GDPR). These rules were brought into UK law under the Data Protection Act 2018 following the EU GDPR regulation, which was updated following the UK’s status post Brexit in January 2021.

This document tells you more about:

• The information we collect
• What we use the information for
• How your information is stored and how long we keep it
• What rights you have to the information

Ark Schools is a multi-academy trust and the organisation who is in charge of your personal information. This means that Ark Schools is called the ‘Data Controller’. The postal address for Ark Schools is The Yellow Building, 1 Nicholas Road, London, W11 4AN.

If you have any queries about how we use your personal information, you can contact Ark Schools’ Data Protection Officer (DPO) by emailing dataprotection@arkonline.org or by post using the address above.

Each school within the trust has a dedicated Data Protection Lead who supports Ark’s DPO with managing breaches, Subject Access Requests, and Freedom of Information requests and can be contacted by emailing your school. Alternatively, you can speak to them in school, or leave a letter at reception or send one by post.

Your data may be shared with third parties, where it is necessary for us to do so and we have a lawful basis to do so.

We have the legal requirement, a contractual obligation, and a legitimate interest to collect and process your personal data. We use your personal data for some, or all, of the reasons below:

• Supporting your learning
• Monitoring and reporting on your progress
• Providing appropriate care for you
• Assess the quality of our services
• Keep children safe (food allergies, or emergency contact details)
• Comply with the statutory duties placed on us by Department for Education (DfE) data collections

We have lawful reasons for having this information which means we do not usually need your consent (permission) to use this information. Sometimes we may want to use your data differently and, in these cases, we may need to gain your consent. We will ask you and your parent/ carer for consent, and you can change your mind at any time.

This includes:

• Personal identifiers and contacts (such as name, unique pupil number and reference numbers, contact details and address)
• Characteristics (such as ethnicity, language, and free school meal eligibility)
• Safeguarding information (such as court orders and professional involvement)
• Special educational needs (including the needs and ranking)
• Medical and administration (such as doctors’ information, child health, dental health, allergies, medication and dietary requirements)
• Attendance (such as sessions attended, number of absences, absence reasons and any previous schools attended)
• Tests and results
• Information about behaviour (such as exclusions and any relevant alternative provision put in place) including monitoring of IT use when using a school device
• Information about free school meal and pupil premium eligibility
• Information we use to arrange school meals (e.g. whether you have school dinners and how often)
• Add information about biometric recognition systems such a cashless catering
• CCTV images captured in school
• Add any others relevant e.g. any other form of identity management or authentication, anything related to school trips
• We will also use photographs of you but only when it is appropriate to do so

• Article 6 1(a) of the GDPR which allows processing with your consent
• Article 6 1(b) of the GDPR which allows processing that is necessary for the performance of a contract
• Article 6 1(c) of the GDPR which allows processing that is necessary to comply with a legal obligation
• Article 6 1(d) of the GDPR which allows processing that is necessary to protect vital interests
• Article 6 1(e) of the GDPR which allows processing that is necessary in order for the school to function
• Article 6 1(f) of the GDPR which allows processing that is in our legitimate interests
• Article 9 2(b) of the GDPR which allows the processing of special category data that is necessary for carrying out obligations in the fields of employment and social security and social protection law
• Article 9 2(g) of the GDPR which allows the processing of special category data that is necessary for reasons of substantial public interest
• Article 9 2(j) of the GDPR which allows the processing of special category data when it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

The processing of personal data and identifying the relevant lawful basis of processing this data is reviewed as part of our efforts to adhere to the principles of data protection.

Some of the personal data we collect, and use, is added to your School Record. This record is kept whilst you are enrolled in an Ark school. If you leave the school, then the record will be transferred to your next school or transferred to the Local Authority for storage. Other data that we collect from you will be stored in paper files, on cloud-based information management systems, cloud storage and sharing facilities, or on local file servers.

In accordance with data protection legislation, data is only retained for as long as is necessary to fulfil the purposes for which it was gathered, and not kept indefinitely. Some personal data is kept for different lengths of time, for example.

• Records of admission to the school are kept permanently. We do this as pupils often ask us to confirm the dates, they attended the Academy
• Correspondence about a child’s absence is kept for the current year and 2 years afterwards 
• Records of your visits to schools are kept for the current year and 6 years afterwards 

We have a policy which explains how long we keep information and is called the Data Retention and Disposal policy and you can ask for a copy by emailing dataprotection@arkonline.org.

We do not normally transfer your information to a different country outside the United Kingdom or EU (these countries together are called the EEA). However, some of our external third-party support partners are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented, including:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission
• Where we use certain service providers, we may use specific contractual clauses approved by the European Commission which give personal data the same protection it has in Europe

At times we will share your personal data with external organisations and people. We will only do this where we are legally required to do so, when our policies allow us to do so or when you have given your consent. We may share your personal information with the following:

Government

We are required, by law (under regulation 5 of the Education (Information about Individual Pupils) (England) Regulations 2013), to pass some information about you to the DfE.  This is the part of the Government which is responsible for schools. This personal information may, in turn, then be made available for use by the Local Authority. The DfE may also share this information that we give to them with other people or organisations. This will only take place where the law, including the law about data protection, allows it.

Parents and carers 

We will also normally give information about you to your parents or your main carer. Where appropriate, we will listen to your views first and will also take family circumstances into account before sharing information.

External organisations 
 
We may also share your personal data to:  

• Your new school if you move schools 
• Disclosures connected with special educational needs support 
• School nurse / counsellor and CAMHS (Child and Adolescent Mental Health Service) 
• Educators, examining bodies and our regulator Ofsted 
• Suppliers and service providers – to enable them to provide the service we receive from them
• Central and local government 
• Survey, research, and security organisations 
• Health authorities and health and social welfare organisations
• Financial organisations, professional advisers and consultants including our auditors 
• Charities, voluntary organisations, and professional bodies 
• Police forces, courts, tribunals 

We may not need consent to share your information. However, if at any time it appears to us that we would need permission, then we will ask before sharing.

You have the right to do the following:

• You can ask us for a copy of the information we have about you. This is called a ‘Subject Access Request’
• You can ask us to correct any information we have about you if you think it is wrong 
• You can ask us to erase information about you (however, we will provide you an explanation where this is not possible)
• You can ask us to limit what we are doing with your information
• You can object to what we are doing with your information 
• You can ask us to transfer your information to another organisation in a format that makes it easy for them to use

Parents or carers also have the right to make a subject access request on your behalf with respect to any personal data the school holds about you or them. If we receive a request for your personal information, we will seek your permission to provide this information to your parent/carer or guardian.

There is more information in our Data Protection Policy which can be found on our website here or you can ask for a copy in school.

Ark Schools aims to comply fully with its obligations under the UK GDPR. If you have any questions or concerns regarding Ark’s management of personal data, please contact Ark’ Data Protection Officer using dataprotection@arkonline.org who is responsible for ensuring Ark Schools is compliant with the UK GDPR.

If you feel that your questions or concerns have not been dealt with adequately on any data protection matter, please get in touch with us and the matter will be escalated to our Director of Governance. If you remain unhappy with our response or if you need any advice, you can contact the Information Commissioner’s Office (ICO). Please visit their website (www.ico.org.uk/concerns) for information on how to make a data protection complaint.