Privacy Notices

Privacy policy

Privacy notices for the Witherslack Group

Date Reviewed	Reviewer	Notes
15/06/2022	K Spedding	Annual Review, amended grammar, amended Child Friendly Privacy Notice, removed Recruitment and Job Applicant Privacy Notices.
27/04/23	K Spedding	Payroll provision altered from Armstrong Watson to Payplus by IRIS
01/06/23	K Spedding	Clarification in Staff notice re confidential reference exemption.

This notice is intended to provide information about how The Witherslack Group will use (or "process") personal data about individuals including: our staff (applying, past and current); our current, past and prospective young people; their parents, carers or guardians (referred to in this policy as "parents"); and our contractors.

This Privacy Policy applies alongside any other information our sites’ (Schools and/or Children’s Homes) may provide about a particular use of personal data, for example when collecting data via an online or paper form or when signing in as visitors.

This Privacy Policy also applies in addition to our sites’ (Schools and/or Children’s Homes) other relevant terms and conditions and policies, including:

Data Retention Policy
Child Protection and Safeguarding Policies
Health and Safety Policy
Data Protection policy including, Bring Your Own Device (BYOD)
Cookie Policy (see on-line cookie policy on Witherslack Group website)
Safeguarding, pastoral, or health and safety policies, including as to how concerns or incidents are recorded; and
IT policies, including its E-Safety Policy, Acceptable Use Policies.

For ease of reference and understanding we have produced different Privacy Notices for the different categories of individuals we deal with.

Click the links below to be directed to the relevant Privacy document.

Contact/web privacy notice
Staff Privacy Notice
Young people Privacy Notice
Child friendly Privacy notice
Job Applicant and Recruitment Privacy Notice

1. Contact/Web Privacy Notice – How we use your information

Click the headings below to be directed to the relevant part of the Privacy document.

Who are we

Why do we collect and use your information

Categories of Personal information that we collect, hold and share include

Collecting your information

Storing your information

Who do we share your information with

Why we share your information

Your Rights

Queries and complaints

Back to the Top

Who are we

In this policy, whenever you see the words (‘We’, ‘Us’ or ‘Our’), it refers to Witherslack Group, Lupton Tower, Lupton, Cumbria, LA6 2PR. Registered with the Information Commissionaires Office (ICO) in England Company No: Z3410582. For the purposes of UK Data Protection Law, We are a data controller in respect of the personal information that We collect and process about you as described in this privacy notice.

Witherslack Group provides inspirational education and care to children and young people, resulting in life changing experiences and countless stories of success.

We are a leading provider of specialist education and care for children and young people with social, emotional and mental health needs, communication difficulties (autistic spectrum conditions, Asperger’s Syndrome, speech, language and communication needs) and complex learning needs.

Our focus on support, care and acceptance allows each young person to develop as an independent individual, equipped with the knowledge, experience and life skills to look to the future with increased confidence and aspiration.

Why do we collect and use your information

We lawfully process your information in accordance with current Data Protection legislation (UK) General Data Protection regulation (GDPR) Article 6 (1) (a) (c) (f). This means We may process your personal data with your consent , as required in law, as part of a contract or for Our legitimate business interests. “Legitimate Interests” means the interests of Our company in conducting and managing Our business and providing you with the best services and products in the most secure way. We do this;

to ensure that content from Our site is presented in the most effective manner for you and for your computer,
to provide you with information about Our services or offers that you request from Us or which we feel may interest you, where you have consented to be contacted for such purposes,
to contact you regarding your opinions on Our services which may be used for marketing, research and analysis, where you have consented to be contacted for such purposes,
to help Us identify you when you contact or visit Us,
for general administration purposes,
to help Us improve the quality of Our products and services,
to help Us detect and prevent fraud and money laundering,
to carry out analysis and customer profiling,
when you communicate with us for customer service or other purposes (e.g., by emails, faxes, phone calls, tweets, etc.), we retain such information and our responses to you in the records of your account,
to collect Payment for services delivered.

When We process your personal data for Our legitimate business interests We always ensure that We consider and balance any potential impact on you and your rights under data protection laws.

If you have any concerns about the processing described above, you have the right to object to this processing. For more information on your rights please see the Your Rights section below.

Categories of Personal information that we collect, hold and share include

For the above purposes We will only ever collect the information We need – including data that will be useful to help improve Our services.

We may collect and process the following data about you:

Name
Address
Email
Telephone number
Cookies (not linked to the above data)
IP addresses
Financial data

You may be directed to a third party processor to obtain banking details in relation to an event.

All processors are managed in accordance with Data Protection Legislation, with contracts in place formalising compliance.

Collecting your information

We may collect and process the following data about you:

Personal information (such as name, postal address, phone number, email address, financial info) that you provide by filling in forms;

on our web site (witherslackgroup.co.uk), when signing up for a newsletter or completing the referral/question section,
in our schools and homes and when you contact us via telephone, in person or by letter.

This will also include information volunteered by you when you;

subscribe to receive one of our e-communications,
order a brochure,
enquire about a specific service, school or home,
request information via telephone,
request a call back,
respond to a campaign,
enter a competition or promotion,
submit a question to Us or provide Us with feedback,
Booking a service/event.

We also process data from details of your visits to Our site including but not limited to:

IP addresses (the location of the computer on the internet)
Pages accessed and
Files downloaded
Cookies

This is statistical data about Our users’ browsing actions and patterns, and does not identify any individual. It simply allows Us to monitor and improve Our service.

This helps Us to determine:

How many people use Our sites
How many people visit on a regular basis, and How popular Our pages are

Our site uses cookies to distinguish you from other users of Our site. This helps Us to provide you with a good experience when you browse our site and allows Us to improve Our site. For detailed information on the cookies We use and the purpose for which We use them please see our Cookie Policy available as a link from all of our website pages. If you want to disable cookies you can also refer to your browser help.

In order to comply with Current Data Protection Legislation including the (UK) General Data Protection Regulation, we will inform you whether you are required to provide information to us or if you have a choice in this. Whenever the processing of your personal data requires your consent then you will be given the opportunity to opt-in or opt-out to having your contact details used as set out above, at the time your details are submitted.

For example, when you request information, you can tell Us when you provide your details if you do not want to receive any other information from Us or Our partners, or you can let Us know how best to get in touch with you with information that may be of interest.

If you do not wish Us to use your data as set out above, or to pass your details on to third parties for marketing purposes, please leave the relevant boxes, situated on the form which We used to collect your data, blank/unticked.

At any time if you no longer wish to receive marketing emails or other promotional materials from Us, you may opt-out of receiving these communications at any time by one of the following methods;

by replying to the email address listed on the web page,
by opting out on the marketing message,
by writing to the data protection officer at Witherslack Group, Lupton Tower, Carnforth, LA6 2PR,
by calling the data protection officer on 015395 66081,
by e-mailing the data protection officer at dataprotection@Witherslackgroup.co.uk.

Storing your information

Information is stored by Us on computers located in the UK. We may transfer the information to other reputable third-party organisations as explained below – they may be situated inside or outside the European Economic Area however we will only share if they provide appropriate assurances as to security and management of the data. We may also store information in paper files.

We have security protocols and policies in place to manage and record your data privacy and preferences correctly and that your data is stored securely to protect against its loss, misuse and alteration. Documentation can be supplied on request from our Data Protection Officer who is contactable by emailing dataprotection@witherslackgroup.co.uk.

Unfortunately, the transmission of data across the internet is not completely secure and whilst we do our best to try to protect the security of your information we cannot ensure or guarantee that loss, misuse or alteration of data will not occur whilst data is being transferred. To mitigate this risk all emails from the Witherslack Group with personal information on are sent encrypted.

We will keep your information only for as long as we need it to provide you with the services or information you have required, to administer your relationship with us, to comply with the law, or to ensure we do not communicate with people that have asked us not to. When we no longer need information, we will always dispose of it securely, using specialist companies if necessary to do this work for us.

We will hold your records securely until;

all emails sent to us or from us will be retained for a period of 3 months (for some Managers emails will be retained for a period of 12 months) with relevant information relating to young people or staff transferred to the appropriate file and retained in accordance with our statutory requirements,
name, date of birth, telephone numbers submitted through the web site will be reviewed within two years. You will be contacted for you to consider extending this for a further two years,
any notes relevant to identified young people or staff will be transferred to their file and retained in accordance with legislation (see Retention Schedule).

Third-party service providers will also store information, however there are strict conditions as to security, retention and sharing which enable us to control personal information held by them. This is to ensure your preferences with us are replicated with the third-party service providers. They will hold your information for our purposes only.

Who do we share your information with

There are strict controls on who can see your information. We will not share your data if you have advised us that you do not want it shared unless we are legally required to do so.

We may also disclose your personal information to third parties, if we are under a duty to disclose or share your personal data for legal or regulatory purposes, in relation to existing or future legal proceedings, for the prevention of fraud/loss or to protect the rights, property, safety of our Group, our customers or others.

We have robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether we release data to third parties are subject to a strict approval process and based on our detailed assessment of;

who is requesting the data,
the purpose for which it is required,
the level and sensitivity of data requested, and
the arrangements in place to store and handle the data,
arrangements for return/destruction,
ability to facilitate a subject access request.

Below is a table of the third-party service providers and business partners to whom we may disclose your data.

Why we share your information

Just like most other organisations, We work with third-party service providers which provide important functions on our behalf allowing us to be easier, faster, and friendlier in the way we deliver Our services. We need to disclose user data to them from time to time, for any of the purposes set out above, so that the services can be performed.

As previously highlighted We do not share your information with anyone without your consent or unless the law and our policies allow us to do so.

Below are the authorities under which we share your data and with whom we share.

Who we share with	Why we share	What is shared
Eventbrite	To arrange for payment for events etc. Payment made through Eventbrite link on the web (links to Stripe).	You provide contact details (name address and telephone no) primary needs, opinions event attendance and banking details. In turn Eventbrite share your E-mail contact with Us.
Department of Education	Information in relation to referrals or enquiries may be shared.	Contact details of parents/young peoples and carers as well as attainment information for young peoples.
Local Authorities	Information in relation to referrals or enquiries may be shared.	Contact details of parents/young peoples and carers as well as previous family circumstances.
Hubspot	Manage internet interactions central control of marketing.	Contact details (name address and telephone no) , email address IP address, interaction with web.
Stripe	Payment processor.	Bank details.
Survey monkey	Feedback.	Logon details email address (see cookies).
Go to Webinar	Provision of Webinar events.	Logon details (see cookies).
Hotjar	Web optimisation.	Location, IP address, sites visited journey in WG site (see cookies).

Your Rights

Under data protection legislation, parents and young people have the right to request access to information about them that we hold. You can do this free of charge and the information will be considered and provided within a month of your request. You should be aware that the right of access is limited to your own personal data, and certain data is exempt from the right of access. This will include information which identifies other individuals (and parents need to be aware this may include their own children, in certain limited situations – please see further below), or information which is subject to legal privilege (for example legal advice given to or sought by us, or documents prepared in connection with a legal action).

Young people can make subject access requests for their own personal data, provided that, in our reasonable opinion, they have sufficient maturity to understand the request they are making. A young person of any age may ask a parent or other representative to make a subject access request on his/her behalf. Indeed, while a person with parental responsibility will generally be entitled to make a subject access request on behalf of a young person, the law still considers the information in question to be the child’s. For more mature young people, the parent making the request may need to evidence their child's authority for the specific request.

WG believe that Young People aged 13 and above are generally assumed to have this level of maturity, although this will depend on both the child and the personal data requested, including any relevant circumstances at home. Slightly younger children may however be sufficiently mature to have a say in this decision, depending on the child and the circumstances.

All information requests from, on behalf of, or concerning young people – whether made under subject access or simply as an incidental request – will therefore be considered on a case by case basis.

You also have the right to:

Object to processing of personal data that is likely to cause, or is causing, damage or distress
Prevent processing for the purpose of direct marketing
Object to decisions being taken by automated means
In certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
Claim compensation for damages caused by a breach of the Data Protection regulations

If you wish to exercise any of these rights please contact the Data Protection Officer;

by writing to the data protection officer at Witherslack Group, Lupton Tower, Carnforth, LA6 2PR,
by calling the data protection officer on 015395 66081,
by E-mailing the data protection officer on dataprotection@Witherslackgroup.co.uk, or
by speaking to any member of staff.

Queries and Complaints

If you believe that we have not complied with this policy or acted otherwise than in accordance with Data Protection Legislation, you should notify The Data Protection Officer on dataprotection@Witherslackgroup.co.uk.

You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with The Witherslack Group directly before involving the regulator.

For more information about your rights under the Data Protection Act contact the Information Commissioner’s Office https://ico.org.uk/.

2. Staff Privacy Notice – How we use your information

Click the headings below to be directed to the relevant part of the Privacy document.

Who are we

Why do we collect and use your information

Categories of Personal information that we collect, hold and share include

Collecting your information

Storing your information

Who do we share your information with

Why we share your information

Your Rights

Queries and complaints

Back to the Top

Who are we

In this policy, whenever you see the words (‘We’, ‘Us’ or ‘Our’), it refers to Witherslack Group, Lupton Tower, Lupton, Cumbria, LA6 2PR. Registered with the Information Commissioners Office (ICO) in England Company No: Z3410582. For the purposes of UK Data Protection Law, We are a data controller in respect of the personal information that We collect and process about you as described in this privacy notice.

Witherslack Group provides inspirational education and care to children and young people, resulting in life changing experiences and countless stories of success.

Why do we collect and use staff information

We lawfully process your information in accordance with current, Data Protection Legislation, including (UK) General Data Protection Regulation (GDPR) Article 6 (a) (b) (c) (f) . We may process your personal data with your consent, in law, as part of your employment contract and or for our legitimate business interests or in law. “Legitimate Interests” means the interests of our company in conducting and managing our business and providing you with the best services and products in the most secure way. We do this;

to contact you regarding your opinions on Our services which may be used for marketing, research and analysis, where you have consented to be contacted for such purposes,
organisational promotion and marketing,
for general administration purposes,
to help Us improve the quality of Our products and services,
to help Us detect and prevent fraud and money laundering,
to help Us recover debts,
to carry out analysis and staff profiling,
performance records,
to support learning and CPD,
to comply with law in relation to Safeguarding,
safeguarding Young people,
providing Education and Care.

When We process your personal data for Our legitimate business interests We always ensure that We consider and balance any potential impact on you and your rights under data protection laws.

If you have any concerns about the processing described above, you have the right to object to this processing. For more information on your rights please see the Your Rights section below.

In Law there are also requirements to carry out pre-employment checks in relation to safeguarding and right to work, such as:

DBS checks
Employment rights
PAYE
Pension provision
Right to work
Safeguarding

Categories of Personal information that we collect, hold and share include

We will only ever collect the information We need – including data that will be useful to help improve Our services.

We may collect and process the following data about you:

Personal information to support recruitment and employment including safeguarding requirements in Law (such as name, postal address, phone number, E-mail address, NI number, driving licence details, photo, PAYE details, Passport, Bank details, utility provider details, Marriage certificate, birth certificate. Employee no., vehicle details)
Special categories of personal information to support you in the workplace (such as trade union membership, health data)
Criminal convictions as required in law to ensure safeguarding
Vehicle details (image in premises with ANPR provision)as a security safety measure

Collecting your information

We may collect and process the following data about you:

Personal information (such as name, postal address, phone number, email address, NI number, driving licence details, photo, PAYE details, Passport, Bank details, utility provider details, marriage certificate, birth certificate. Employee no., vehicle details, that you provide by filling in forms;

through a recruitment process (HR) (see separate Privacy doc for more detail of unsuccessful candidates),
through finance P.A.Y.E department,
through personal development portfolios,
CCTV (visual and potentially audio profile and vehicle registrations),
ANPR vehicle details,
obtained through training providers,
direct from staff members,
special categories of personal data processed (such as health processed through GDPR Article 9 (2) (h) (OHU and fitness for work),
obtained through sickness reporting and self-certification,
through finance P.A.Y.E.

As governed by Our Data Protection policy which includes Appendix Bring Your Device Policy (BYOD) and also your employment contract.

We also process data from details of your visits to Our WIFI including but not limited to:

IP addresses (the location of the computer on the internet)
Pages accessed, and
Files downloaded
Cookies

In order to comply with current Data Protection Legislation, including the (UK) General Data Protection Regulation, we will inform you whether you are required to provide information to us or if you have a choice in this. Whenever the processing of your personal data requires your consent then you will be given the opportunity to opt-in and then to opt-out if you so desire.

Storing your information

Information is stored by us on computers located in the UK. We may transfer the information to other reputable third-party organisations as explained below – they may be situated inside or outside the European Economic Area however we will only share if they provide appropriate assurances as to security and management of the data. We may also store information in paper files.

Unfortunately, the transmission of data across the internet is not completely secure and whilst We do our best to try to protect the security of your information We cannot ensure or guarantee that loss, misuse or alteration of data will not occur whilst data is being transferred. To mitigate this risk all emails from the Witherslack Group with personal information on are sent encrypted.

We will hold your staff records securely as outlined below:

Job applicants - for more info see Section 5 (Recruitment and Job Applicants Privacy Notice on the Networx website).
- Personal information about unsuccessful candidates;
  - external candidate; will be destroyed or deleted. ( see below table ) Their details will remain with third party provider to enable us to search against future jobs. (see separate Privacy notice for Job Applicants for more detail)
  - internal candidate; reference will be retained on the staff file in accordance with Current employee retention.
- Successful candidates/employee - once a person has taken up employment with Us, We will compile a staff file relating to their employment.
Current employee; information may be maintained on both computer and on paper. In both cases the information contained will be kept secure and will only be used for purposes directly relevant to that person’s employment. There is secure storage, encrypted transmission and controlled access relevant to the staff position held.
Former employee; once their employment with Us has ended, We will retain the file in accordance with the requirements of Our retention schedule and then delete it. We will retain personal data securely and only in line with how long it is necessary to keep for a legitimate business and lawful reason. Typically, the legal recommendation for how long to keep a staff file is 7 years following departure. There may be occasions when a staff file is held for longer in accordance with out retention schedule and legal requirements. However, staff personal data in relation to incident reports and safeguarding files may need to be kept much longer, in accordance with specific legal requirements. Files will be kept securely electronically and/ or in hard copy. All transmissions and storage will be encrypted and with access controls in place.
Agency Staff or Sole traders;
Current information is maintained on both computer and on paper. In both cases the information contained will be kept secure and will only be used for purposes directly relevant to that person’s employment. There is secure storage, encrypted transmission and controlled access relevant to the staff position held.
Former once their employment with Us has ended, We will retain the file in accordance with the requirements of Our retention schedule and then delete it. We will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Typically, the legal recommendation for how long to keep records relating to employment is 7 years following departure. There may be occasions when such records are held for longer in accordance with out retention schedule and legal requirements. However, personal data in relation to incident reports and safeguarding files may need to be kept much longer, in accordance with specific legal requirements. There is secure storage, encrypted transmission and controlled access relevant to the staff position held.
All emails sent to us or from us will be retained for a period of 3 months (in the case of some managers emails are retained for a period of 12 months) with relevant information relating to young people or staff transferred to the appropriate file and retained in accordance with our statutory requirements.

WG have a retention schedule within their policy documents.

Who do we share your information with

There are strict controls on who can see your information. We will not share your data if you have advised us that you do not want it shared unless we are legally required to do so or there is a recognised legitimate business interest.

We have robust processes to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether we release data to third parties are subject to a strict approval process and based on our detailed assessment of;

who is requesting the data,
the purpose for which it is required,
the level and sensitivity of data requested, and
the arrangements in place to store and handle the data,
arrangements for return/destruction,
ability to facilitate a subject access request.

We share information with the following (See table below in why we share our information for more detail).

Why we share your information

Just like most other organisations, we work with third-party service providers which provide important functions on our behalf allowing us to be easier, faster, and friendlier in the way we deliver our services. We need to disclose user data to them from time to time, as part of our legal obligations and legitimate business interests, so that the services can be performed.

As previously highlighted we do not share your information with anyone without your consent unless the law and our policies allow us to do so.

Below are the authorities under which we share your data and with whom we share.

Who we share with	Article 6 basis	Why we share	What is shared
HMRC tax office	In law.	PAYE and TAX.	Name, date of birth, address. NI number, pay, bank details.
Payplus by IRIS	In law. contractual	Payroll provision .	Name, date of birth, absence, NI number, pay details, bank account details, hours worked expenses, identifier, pension details, maternity, paternity, attachment of earnings , student loan
Networx	Legitimate business interest and in law.	Recruitment portal.	Full CV details, name, date of birth, address, telephone, email, previous employment references, salary, equality and diversity, criminal convictions, gender, previous address, education attainment history.
Occupational Health - Health Partners	Employment Contract.	Occupational health.	Name, employee number, health, gender , address, telephone, E-mail address.
Find My shift	Legitimate business interest.	Shift organiser.	Names, shifts, hours, location.
Capita (Security Watchdog)	Employment contract.	DBS check Completed by the subject in the first instance. Consensual to provide the detail to DBS service. Witherslack Group receive an update form the service with minimal information on.	Names, convictions, date of birth, address and previous address.
DH licence checks	Legitimate business interest.	To ensure legal obligations in relation to provision of company vehicles and authorised drivers. Driving licence checks.	Name, date of birth, driving licence details.
Happiness Index	Legitimate business interest.	Staff survey to improve provision of services to staff in the workplace.	Name, age bracket, work E-mail, location, role.
Scottish Widows	In law.	Pension provider.	Name, salary, date of birth, address, E-mail, NI number, employee number, unique id, pension status.
Teachers Pensions	In law.	Pension provider.	Name, salary, date of birth, address, E-mail, NI number, employee number, unique id, pension status.
Training providers	Legitimate business interest.	Provision of training in relation to team teach, first aid, health and safety etc.	Name, email, date of birth, site, role.
Learning Pool	In law and legitimate business interest.	Provision of learning management system.	Name, role, work email address, education and accreditation.
Medicash	Legitimate business interest.	Health and welfare support.	Name, work email address.
Local Authorities	In law.	Requirement of provision of care and education (e.g EHCP).	Name, role.
Verizon	Legitimate business interest.	Vehicle tracking	Name location driver behaviour.
Sage	In law and legitimate interest.	Staff management (HR).	Staff file - recruitment and initial employment data. Performance, annual leave, Next of Kin details.
Reward gateway	Legitimate business interest.	Staff recognition and rewards.	Staff names, role and work contact email.

Your Rights

Under data protection legislation, you have the right to request access to information about you that we hold. You can do this free of charge and the information will be considered and then provided within a month of request.

You should be aware that the right of access is limited to your own personal data, and certain data is exempt from the right of access. This will include (but is not limited to) information which identifies other individuals, information contained in a confidential employment reference provided to, supplied by, the Witherslack Group or information which is subject to legal privilege (for example legal advice exchanged relating to Witherslack Group or documents prepared in connection with a legal action). Each application will be assessed on a case to case basis.

You also have the right to:

Object to processing of personal data that is likely to cause, or is causing, damage or distress
Prevent processing for the purpose of direct marketing
Object to decisions being taken by automated means
In certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
Claim compensation for damages caused by a breach of the Data Protection regulations

If you wish to exercise any of these rights please contact the Data Protection Officer;

by writing to the data protection officer at Witherslack Group, Lupton Tower, Carnforth, LA6 2PR,
by calling the data protection officer on 015395 66081,
by E-mailing the data protection officer on dataprotection@Witherslackgroup.co.uk, or
by speaking to any member of staff.

Queries and Complaints

If you believe that We have not complied with this policy or acted otherwise than in accordance with Data Protection Legislation, you should notify The Data Protection Officer on dataprotection@Witherslackgroup.co.uk.

You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with The Withersalck Group directly before involving the regulator.

For more information about your rights under the Data Protection Act contact the Information Commissioner’s Office https://ico.org.uk/.

3. Privacy Notice – How we use young people’s information

Click the headings below to be directed to the relevant part of the Privacy document.

Who are we

Why do we collect and use your information

Categories of young people’s Personal information that we collect, hold and share include

Collecting young people’s information

Storing young people’s information

Who do we share young people’s information with

Why we share young people’s information

Your Rights

Queries and complaints

Back to the Top

Who are we

Witherslack Group provides inspirational education and care to children and young people, resulting in life changing experiences and countless stories of success.

Why do we collect and use young people’s information

We lawfully process your information in accordance with General Data Protection regulation (GDPR) Article 6 (a) (c) (f). We may process your personal data with your consent, authorised in Law or for Our legitimate business interests. “Legitimate Interests” means the interests of Our company in conducting and managing our business and providing you with the best care and education in the most secure way. We do this;

for the purpose of placement selection,
provision of safe care,
to support young people’s learning including but not limited to musical education, physical education, spiritual development, career services, trips, computer skills,
to monitor and report on young person’s progress,
to provide appropriate pastoral care,
to provide effective communication with parents/carers,
to provide effective communication with staff,
to provide effective communication with local authorities,
for management and planning,
to assess the quality of our services,
to comply with the law regarding data sharing,
to support you to decide what to do after you leave home or school.

Categories of a young person’s information that we collect, hold and share include

We will only ever collect the information We need – including data that will be useful to help improve Our services.

We may collect and process the following data about you:

Personal information (such as name, unique pupil number and emergency contact details and family background information – this will include parent/carer contact details),
Education and attainment information,
Characteristics (such as ethnicity, language, nationality, country of birth) ,
Attendance information (such as sessions attended, number of absences and absence reasons),
National curriculum assessment results,
Special educational needs information,
Relevant medical information,
Information necessary to keep you safe (child protection,)
Internet usage.

Collecting a young person’s information

We may collect and process the following data about you:

Personal information (such as name, postal address, phone number, E-mail address, pupil number, photo, Passport, Bank details, birth certificate, family information) through;
- the local Authority referral process,
- information provided by you,
- multi-agency meetings,
- from parents/carers,
- CCTV (visual and potentially audio profile),
- photographs as part of learning programme and safeguarding.

Special Categories of personal data processed (such as health processed through GDPR Article 9 (2)(a)(h)(f)(g). In summary this means that your personal data is used to support and protect you in your education and care. There will be occasion when your data is processed with your consent (or that of an appropriate adult representing you). Where this is the case you will have the right to change your mind.

There will also be cases when the processing is required to protect you and keep you safe. Where possible you will be informed of this processing but on occasion data may be processed/shared with others to safeguard you or other young people, such as:

- medical information from health service,
- SEN details from Local authority,
- gender and religion through local authority or parents or from subject,
- behavioural information.

As governed by our Data Protection Legislation including Appendix - Our Bring Your Device Policy (BYOD) and also the employment contract we also process data from details of your visits to our WIFI including but not limited to:

- IP addresses (the location of the computer on the internet)
- Pages accessed, and
- Files downloaded
- Cookies

In order to comply with current Data Protection Legislation the General Data Protection Regulation, we will inform you whether you are required to provide information to us or if you have a choice in this. Whenever the processing of your personal data requires your consent then you will be given the opportunity to opt-in and then to opt-out if you so desire.

Storing a young person’s information

We take steps to ensure that any organisations that we share your data with will have security protocols and policies in place to manage and record your data privacy and preferences correctly and that your data is stored correctly. We will not share your data if you have advised us that you do not want it shared unless it is the only way we can make sure you stay safe and healthy or we are legally required to do so.

Unfortunately, the transmission of data across the internet is not completely secure and whilst We do our best to try to protect the security of your information we cannot ensure or guarantee that loss, misuse or alteration of data will not occur whilst data is being transferred. To mitigate this risk all e-mails from the Witherslack Group containing personal information are sent encrypted.

We keep information about you on computer systems and also sometimes on paper.

Current young people: information may be maintained on both computer and on paper. In both cases the information contained will be kept secure and will only be used for purposes directly relevant to that person’s employment. Storage and transmissions are encrypted and access controls are in place.
Young People who have left have their records archived in accordance with the requirements of our retention schedule. We will retain personal data securely and only in line with how long it is necessary to keep for a legitimate business need or and lawful reason. In general educational records are held until the young person is 32 years old. Files will be kept securely electronically and/or in hard copy. Storage and transmissions are encrypted and access controls are in place.
Where a young person moves school education and safeguarding information is provided to the new school and then the files area archived in accordance with the requirements of our retention schedule. We will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. In general education files are retained until the you are 32 years of age. Files will be kept securely electronically and/or in hard copy.
All emails sent to us or from us will be retained for a period of 3 months (in the case of some managers emails will be retained for a period of 12 months) with relevant information relating to young people or staff transferred to the appropriate file and retained in accordance with our statutory requirements.

Care and education records are stored and retained in compliance with the appropriate Law and Regulations governing the activity. WG have a retention document within their policies.

Who do we share a young person’s information with

We routinely share a young person’s information with:

Schools or colleges that the young people attend after leaving us,
The local authority and their commissioned providers of local authority service,s
The Department for Education (DfE),
The joint council for qualifications (JCQ),
OFSTED,
Regulatory Inspection visitors,
Health and Safety Executive,
Staff in homes and schools,
Clinical staff,
Parents/carers,
LADO,
Police,
Quality Assurance Visitors,
Multi-agency forums around (LAC and PEP),
External education providers (including on-line learning platforms).

Why we share a young person’s information

Just like most other organisations, we work with third-party service providers which provide important functions to us that allow us to be easier, faster, and friendlier in the way we deliver our services. We need to disclose user data to them from time to time, as part of our legal obligations and legitimate business interests, so that the services can be performed.

As previously highlighted we do not share your information with anyone without your consent unless the law and our policies allow us to do so. We have robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data.

Decisions on whether we release data to third parties are subject to a strict approval process and based on a detailed assessment of;

who is requesting the data,
the purpose for which it is required,
the level and sensitivity of data requested, and
the arrangements in place to store and handle the data,
arrangements for return/destruction,
ability to facilitate a subject access request.

Below are authorities under which we share your data and with whom we share.

Who we share with	Article 6 basis	Why we share	What is shared
Schools or colleges that the young people attend after leaving us	In law.	To further the education provision.	Educational records.
The local authority and their commissioned providers of local authority services	In law.	Provision of care and education for young people with SEN and Looked after Children.	Educational record, Education Health Care Plan, Looked after Children notes, multi-agency forum notes, personal education plans.
The Department for Education (DfE)	In law	Educational attainment policy and monitoring. The National Young people Database (NPD). Provision of young people record number.	https://www.gov.uk/education/data-collection-and-censuses-for-schools; name of young people.
The joint council for qualifications (JCQ )	Legitimate business interest.	Currently signed for on a JCQ consent form however the detail is provided to them by Us as a legitimate business interest. Attendance for the exam is consensual.	Name, date of birth, any health considerations to enable reasonable adjustments to take the exam.
OFSTED	In law.	Ensuring a monitored and accountable service provision is in place.	All relevant personal or sensitive information (restricted by purpose of visit to minimise data) reported upon anonymously.
Regulatory Inspection visitors	In law.	Ensuring a monitored and accountable service provision is in place.	All data of staff residents and young peoples as deemed appropriate by the inspector.
Health and Safety Executive	In law.	Safety in the work place …. Safety in the schools and homes. Consideration as to the level of safeguarding needed on each site which is commensurate with the behavioural/risk posed.	Environmental information and personal information, behaviour, health.
Staff in homes and schools	Legitimate business interest.	Maintaining a safe environment for the provision of necessary care and specialist education. Pastoral support and safeguarding.	Behaviour reports, personal contact details, multi-agency reports.
Clinical	Consent , legitimate business interest.	Provision of support for Special Educational needs.	Personal data name. date of birth, family circumstances, behaviour, risk assessment, EHCP, and health data.
Parents/carers	Legitimate business interest, in law.	To enable the provision of educational support at home. In general, We will assume that a young person consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about the young person's activities, progress and behaviour, and in the interests of the young person's welfare. That is unless, in The School or Home’s opinion, there is a good reason to do otherwise. However, where a young person seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, The School or Home may be under an obligation to maintain confidentiality unless, in The School or Home’s opinion, there is a good reason to do otherwise, for example where The School or Home believes disclosure will be in the best interests of the young person or other young people, or if required by law.	Ongoing reports and communication in relation to behaviour and achievement.
LADO	In law.	Keeping Children safe in education.	All relevant personal or sensitive information (restricted by circumstance to minimise data).
Police	In law.	Keeping children safe in education.	All relevant personal or sensitive information (restricted by circumstance to minimise data).
Quality assurance visitors	Legitimate business interest.	Ensuring that the service provision is of the highest standard and compliant with regulation/Law.	All relevant personal or sensitive information (restricted by purpose of visit to minimise data) reported upon anonymously.
Multi-agency forums (LAC and PEP)	In law.	Keeping Children safe in education.	All relevant personal or sensitive information (restricted by circumstance to minimise data).
External education providers	Legitimate business interest.	Provision of external educational support to further develop the young person (inclusive of online Apps).	Name, date of birth, address and potentially health data to support the learning plan.

Your Rights

Under data protection Legislation you and in some cases your parent/guardian have the right to request access to information about you that we hold. You should be aware that the right of access is limited to your own personal data, and certain data is exempt from the right of access. This will include information which identifies other individuals (and parents need to be aware this may include their own children, in certain limited situations), some safeguarding, or information which is subject to legal privilege (for example legal advice given to or sought by Us, or documents prepared in connection with a legal action).

We are also not required to disclose any examination marks ahead of any ordinary publication.

You may ask a parent or other representative to make a subject access request on your behalf.

Indeed, while a person with parental responsibility will generally be entitled to make a subject access request on behalf of a young person, the law still considers the information in question to be yours.

Young people can make subject access requests for their own personal data, provided that, in our reasonable opinion, they have sufficient maturity to understand the request they are making. A young person of any age may ask a parent or other representative to make a subject access request on his/her behalf. Indeed, while a person with parental responsibility will generally be entitled to make a subject access request on behalf of a young person, the law still considers the information in question to be the child’s: for more mature young people, the parent making the request may need to evidence their child's authority for the specific request.

The Witherslack Group believe that Young People aged 13 and above are generally assumed to have this level of maturity, although this will depend on both the child and the personal data requested, including any relevant circumstances at home. Slightly younger children may however be sufficiently mature to have a say in this decision, depending on the child and the circumstances.

You also have the right to:

Object to processing of personal data that is likely to cause, or is causing, damage or distress
Prevent processing for the purpose of direct marketing
Object to decisions being taken by automated means
On certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
Claim compensation for damages caused by a breach of the Data Protection regulations

If you wish to exercise any of these rights please contact the Data Protection Officer;

by writing to the data protection officer at Witherslack Group, Lupton Tower, Carnforth, LA6 2PR,
by calling the data protection officer on 015395 66081,
by E-mailing the data protection officer on dataprotection@Witherslackgroup.co.uk; or by
speaking to any member of staff.

Queries and Complaints

If you believe that We have not complied with this policy or acted otherwise than in accordance with Data Protection Law, you should notify The Data Protection Officer on dataprotection@Witherslackgroup.co.uk.

You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with The Withersalck Group directly before involving the regulator.

For more information about your rights under the Data Protection Act contact the Information Commissioner’s Office https://ico.org.uk/.

Back to the top of the document

4. Child Friendly Privacy Notice

Click the headings below to be directed to the relevant part of the Privacy document.

Who we are

Why we collect and use your information

What type of information we collect, hold and share

Where we get your information from

Where we keep your information and for how long we keep it

Who we share your information with and why we share it

What we use your information for

What your rights are

What to do if you want to make a complaint

Back to the Top

Who we are

We are the Witherslack Group. we run your school and also some children’s homes. This means we are responsible for looking after your personal data.

Why we collect and use your information

We need information about you to help us deliver your education and to look after you. We keep this information to help show when you are at school, how well you are doing and how we are helping you be even better.

What type of information we collect, hold and share about you

Personal data is information we keep about you. Things like your name, where you live, your date of birth, your address, your behaviour and your school reports.

Where we get your information from

Some of the information comes from your family or carers when you start school or move into a home. We let your parents and carers know what information we need. Sometimes we need their permission and they can say no. We tell them even more about how we use your data on the grown up version of this form.

Sometimes it comes from the local authority or another school or home you were at previously.

And lots of it comes from you. Things like the school work you do, how you are behaving or when you do something important like visit your family or go on a trip.

Where we keep your information and for how long we keep it

We keep your data on computer systems and on websites that we have checked to make sure they are safe. Sometimes we even write information down but only people who work for us or those we give permission to can see it.

We keep most of your school information until you are 32 years old, or as long as the law says we must keep it. When we don't need it we destroy it.

Who we share your information with and why we share it

We share some of your information with your parents and carers. Sometimes the government ask us for information about who is at a school or who we look after in our homes. We have to do this for everyone and we do this to keep you safe.

If you move to another school or home we will share information with them so they can help you as well.

We share your information to teach you and to keep you safe and to tell your parents and carers how you are doing.

What your rights are

You can do the same things as grown-ups with your information. You can ask us what information we have, or even to change information you think is wrong. There is more you can do but your parents and carers will help you with this until you understand it.

We also employ a data protection oﬃcer to make sure that we look after your data properly.

What to do if you want to make a complaint

Ask any of your teachers, parents or carers if you have any questions and they will help you.

There are more details in the section above (How We Use Young Peoples Information).

Back to the top of the document

5. Job Applicant and Recruitment Privacy Notice

When you apply for a job or register an interest in working with The Witherslack group you will do so via Networx. Please see the applicable Recruitment and Job Applicant Privacy Notices available on the Networx website.

Back to the top of the document