Privacy Notice for Parents

Ark Schools is a multi-academy trust and the organisation who is in charge of your personal information. This means that Ark Schools is called the ‘Data Controller’. The postal address for Ark Schools is The Yellow Building, 1 Nicholas Road, London, W11 4AN. 

If you have any queries about how we use your personal information, you can contact Ark Schools’ Data Protection Officer (DPO) by emailing dataprotection@arkonline.org or by post using the address above.  

Each school within the trust has a dedicated Data Protection Lead who supports Ark’s DPO with managing breaches, Subject Access Requests, and Freedom of Information requests and can be contacted by emailing your child’s school. Alternatively, you can speak to them in school, or leave a letter at reception or send one by post. 

Your data may be shared with third parties, where it is necessary for us to do so, and we have a lawful basis to do so.

We have the legal requirement, a contractual obligation, and a legitimate interest to collect and process your personal data. We use your personal data for some, or all, of the reasons below: 

• To support the admissions process 
• To support learning for your child(ren) 
• To maintain a safe environment for our pupils 
• To provide appropriate pastoral care 
• To enable you to pay for activities for your child(ren) 
• To enable you to pay for school meals for your child(ren) 
• To enable free school meals to be provided 
• To comply with our legal obligations to share information 
• To ensure your health and safety if you visit school 
• To keep you up to date with news about the school 

We have lawful reasons for having this information which means we do not usually need your consent to use this information. Sometimes we may want to use your data differently and, in these cases, we may need to gain your consent.  

This includes: 

• Personal details (for example, name, date of birth, national insurance number) 
• Contact details (for example, address, telephone number, email address) 
• Family details (for example, details of other children, emergency contacts) 
• Admission requests 
• Records of communications (for example, emails, phone messages and letters) 
• Records of visits to school (for example, time and date, the person you visited) 
• Photographs of you or images on CCTV 
• Banking details (A credit or debit card registered with our payment system) 
• Records of transactions in our payment system 
• Consent for school visits and extra-curricular activities 
• Support received, including care packages, plans and support providers. 
• We may also hold data about you that we have received from other organisations, including other schools and social services. 

In some cases, we will also have: 

• Information about consultation with other professionals 
• Information about your employment and financial situation 
• Information about any care or contact orders relating to your child(ren) 

• Article 6 1(a) of the GDPR which allows processing with your consent  
• Article 6 1(b) of the GDPR which allows processing that is necessary for the performance of a contract 
• Article 6 1(c) of the GDPR which allows processing that is necessary to comply with a legal obligation 
• Article 6 1(d) of the GDPR which allows processing that is necessary to protect vital interests 
• Article 6 1(e) of the GDPR which allows processing that is necessary in order for the school to function 
• Article 6 1(f) of the GDPR which allows processing that is in our legitimate interests 
• Article 9 2(b) of the GDPR which allows the processing of special category data that is necessary for carrying out obligations in the fields of employment and social security and social protection law 
• Article 9 2(g) of the GDPR which allows the processing of special category data that is necessary for reasons of substantial public interest 
• Article 9 2(j) of the GDPR which allows the processing of special category data when it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes 

The processing of personal data and identifying the relevant lawful basis of processing this data is reviewed as part of our efforts to adhere to the principles of data protection. 

Some of the personal data we collect, and use, is added to the School Record for your child(ren). This record is kept whilst they are enrolled in an Ark school. If they leave the school, then the record will be transferred to the next school they attend or transferred to the Local Authority for storage. Other data that we collect from you will be stored in paper files, on cloud-based information management systems, cloud storage and sharing facilities, or on local file servers. 

In accordance with data protection legislation, data is only retained for as long as is necessary to fulfil the purposes for which it was obtained, and not kept indefinitely. Some personal data is kept for different lengths of time, for example. 

• Records of admission to the school are kept permanently. We do this as pupils often ask us to confirm the dates, they attended the Academy. 
• Correspondence about a child’s absence is kept for the current year and 2 years afterwards  
• Records of your visits to schools are kept for the current year and 6 years afterwards  

We have a policy which explains how long we keep information and is called the Data Retention and Disposal policy and you can ask for a copy by emailing dataprotection@arkonline.org. 

Where your child(ren) is/are under the age of 13 it is usually assumed that they are not able to make decisions about their personal data. That right is usually given to those with parental responsibility. To access the personal data relating to your child(ren) you will need to follow the same procedure as you would to access your own personal data. 

If your child requests access to their own personal data, then we will normally refer that request to you for confirmation before releasing any data. 

Once your child(ren) reaches the age of 13, in most cases they are assumed to be able to make their own decisions about the use of their personal data. This means that we will not refer any request from a child(ren) over the age of 13 to a person with parental responsibility for access to their own personal data. Similarly, if you wish to make a request for data about your child(ren) who is over 13, we will refer that request to your child(ren) for consent for you to access their personal data. 

It is worth knowing that under the terms of the Data Protection Act (2018) parents do not have an automatic right to access information about their child(ren) through a subject access request and we are given one calendar month to respond to these requests. 

At times we will share your personal data with external organisations and people. We will only do this where we are legally required to do so, when our policies allow us to do so or when you have given your consent. We may share your personal information with the following: 

• Local Authories – to meet our legal obligations to share certain information with it, such as attendance and safeguarding concerns and information about exclusions;  
• Government departments or agencies (like the DfE).  
• Our regulator, Ofsted.  
• Suppliers and service providers – to enable them to provide the service we have contracted them for;  
• Police forces and Courts 
• Health and social and welfare organisations.  
• Professional advisers and consultants;  
• Charities and voluntary organisations. 
• Survey, research and security organisations;  

We do not normally transfer your information to a different country outside the EEA. However, some of our external third-party support partners are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA. 

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented, including:  

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;  
• Where we use certain service providers, we may use specific contractual clauses approved by the European Commission which give personal data the same protection it has in Europe. 

You have the right to do the following:  

• You can ask us for a copy of the information we have about you. This is called a ‘Subject Access Request’ 
• You can ask us to correct any information we have about you if you think it is wrong  
• You can ask us to erase information about you (however, we will provide you an explanation where this is not possible) 
• You can ask us to limit what we are doing with your information 
• You can object to what we are doing with your information  
• You can ask us to transfer your information to another organisation in a format that makes it easy for them to use 

There is more information in our Data Protection Policy which can be found here or you can ask for a copy at your child’s school. 

Ark Schools aims to comply fully with its obligations under the UK GDPR. If you have any questions or concerns regarding Ark’s management of personal data, please contact Ark’ Data Protection Officer using dataprotection@arkonline.org who is responsible for ensuring Ark Schools is compliant with the UK GDPR.  

If you feel that your questions or concerns have not been dealt with adequately on any data protection matter, please get in touch with us and the matter will be escalated to our Director of Governance. If you remain unhappy with our response or if you need any advice, you can contact the Information Commissioner’s Office (ICO). Please visit their website (www.ico.org.uk/concerns) for information on how to make a data protection complaint