This privacy notice has been written to inform parents, guardians and pupils of the Areté Learning Trust about how and why we process your personal data.
Who are we?
The Areté Learning Trust is a data controller as defined by the UK GDPR. This means that we determine the purposes for which your personal data is processed and the manner of the processing. We will only collect and use your personal data in ways that are compliant with data protection legislation.
The school has appointed Veritau Ltd as its Data Protection Officer (DPO). The role of the DPO is to monitor our compliance with the UK GDPR and the Data Protection Act 2018 and advise on data protection issues. If you would like to discuss this privacy notice or our use of your data, please contact Veritau the Trust Governance and Compliance Lead governance@aretelearningtrust.org Veritau’s contact details are:
Schools Data Protection Officer
Veritau
West Offices
Station Rise
York
North Yorkshire
YO1 6GA
schoolsDPO@veritau.co.uk // 01904 554025
Please ensure you include the name of your school in all correspondence.
What personal information do we collect?
The personal data we collect about you includes:
• Personal identifiers and contact details, including name, postal address, email address, phone number, date of birth, and pupil number.
• Educational and assessment attainment, such as early years, phonics and national curriculum assessment results.
• Characteristics such as free school meal eligibility and language spoken.
• Attendance information, including sessions attended, reason and number of absences, and previous schools attended.
• Behavioural information, including exclusions and any relevant alternative provision put in place.
• Safeguarding information, including but not limited to court orders and professional involvement and support.
• Child in Need or Looked After status, including episodes of being looked after or a child in need, adoptions, care leavers and outcome information.
• Healthcare and medical information such as doctor details, allergies, medication and dietary requirements.
• Photographs or video images, including CCTV footage.
• Information relating to school trips and extra-curricular activities.
• Records of communications and interactions we have with you.
• Before and after school club attendance.
• Equality monitoring information, such as your ethnicity, religious beliefs, sexual orientation and gender.
• Biometric data e.g. thumbprints.
• Medical information relevant to pandemic management, such as your vaccination status and positive test results.
• E-monitoring information about your use of the school’s network and IT systems.
Why do we collect your personal information?
We process your information for the purposes outlined below:
• To support pupil learning.
• To meet our safeguarding obligation to pupils.
• To monitor and report on pupil attainment progress.
• To provide appropriate pastoral care.
• To assess the quality of our educational provision.
• To provide breakfast club and after school provision.
• To meet the statutory duties placed upon us regarding DfE data collections.
• During a pandemic, to prevent the spread of infection and maintain adequate and safe pupil and staffing levels.
• To promote the school, including in newsletters, on the school website and social media platforms.
What is our lawful basis for processing your information?
Under the UK GDPR, it is essential to have a lawful basis when processing personal information. We normally rely on the following lawful bases:
• Article 6(1)(a) – consent
• Article 6(1)(c) – legal obligation
• Article 6(1)(e) – public task
Where we are processing your personal data with your consent you have the right to withdraw that consent. If you change your mind or are unhappy with our use of your personal data, please let us know by contacting the Trust Governance and Compliance Lead governance@aretelearningtrust.org There may be occasions where our processing is not covered by one of the legal bases above. In that case, we may rely on Article 6(1)(f) – legitimate interests. We only rely on legitimate interests when we are using your data in ways you would reasonably expect.
Some of the information we collect about you is classed as special category data under the UK GDPR. The additional conditions that allow for processing this data are:
• Article 9(2)(a) – explicit consent
• Article 9(2)(g) – reasons of substantial public interest
The applicable substantial public interest conditions in Schedule 1 of the Data
Protection Act 2018 are:
• Condition 6 – statutory and government purposes
• Condition 10 – preventing or detecting unlawful acts
• Condition 18 – safeguarding of children and vulnerable people
Who do we obtain your information from?
We normally receive this information directly from you, for example via admissions forms, or secure file transfer from a previous school. However, we may also receive some information from the following third parties:
• Department for Education (DfE).
• Local Authority.
• Other agencies working with the child/family, such as Police, Health Services etc.
Who do we share your personal data with?
We may share your information with the following organisations:
• Schools/education providers that the pupils attend after leaving us.
• Local Authority.
• Department for Education (DfE).
• The Education and Skills Funding Agency (ESFA)
• National Health Service (NHS) bodies.
• Youth support services, where relevant.
• Other agencies working with the child/family, where appropriate.
• Relevant examination/awarding bodies.
• School suppliers and IT applications, where necessary.
For more information on information sharing with the DfE please visit the DfE
website.
We may also share information with other third parties where there is a lawful basis to do so. For example, we sometimes share information with the police for the purposes of crime detection or prevention. We also regularly share information with appropriate organisations for the purposes of arranging school trips.
How long do we keep your personal data for?
We will retain your information in accordance with our Trust Records Management Policy and Retention Schedule. The retention period for most of the information we process about you is determined by statutory obligations. Any personal information which we are not required by law to retain will only be kept for as long as is reasonably necessary to fulfil its purpose.
We may also retain some information for historical and archiving purposes in accordance with our Records Management policy.
International transfers of data
Although we are based in the UK, some of the digital information we hold may be stored on computer servers located outside the UK. Some of the IT applications weuse may also transfer data outside the UK. Normally your information will not be transferred outside the European Economic Area, which is deemed to have adequate data protection standards by the UK government. In the event that your information is transferred outside the EEA, we will take reasonable steps to ensure your data is protected and appropriate safeguards are in place.
What rights do you have over your data?
Under the UK GDPR, parents and pupils have the following rights in relation to the processing of their personal data:
• to be informed about how we process your personal data. This notice fulfils this obligation.
• to request a copy of the personal data we hold about you.
• to request that your personal data is amended if inaccurate or incomplete.
• to request that your personal data is erased where there is no compelling reason for its continued processing.
• to request that the processing of your personal data is restricted.
• to object to your personal data being processed. Please be aware that usually pupils are considered to have the mental capacity to understand their own data protection rights from the age of 12 years old. The school may therefore consult with a pupil over this age if it receives a request to exercise a data protection right from a parent. If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO using the details provided above. If we cannot resolve your concerns then you may also complain to the Information Commissioner’s Office, which is the UK’s data protection regulator. Their contact details are below:
Phone: 0303 123 1113 or via their live chat. Opening hours are Monday to Friday between 9am and 5pm (excluding bank holidays). You can also report, enquire, register and raise complaints with the ICO using their web form on Contact us | ICO. Changes to this notice We reserve the right to change this privacy notice at any time. We will normally notify you of changes that affect you. However, please check regularly to ensure you have the latest version.
This privacy notice was last reviewed May 2023.