1. introduction 3
2. Data Controller 3
3. Data Protection Officer 3
4. Retained Personal Data 3
5 Day to Day Use of Data 4
6. Data Storage 4
7. Data Sharing 4
8. The Right of the Individual 4
9. What to expect from a ‘Subject Access Request’ 5
10. Response times to a ‘Subject Access Request’ 5
11. Is there a charge for a subject access request?. 5
12. What if the personal data retained is incorrect?5
13. Other rights..5
On the 25th May 2018 the General Data Protection Regulation (GDPR) will be introduced throughout the EU. GDPR is legislation that is intended to improve the way in which people’s personal data is maintained in a safe and secure way. In addition it also enhances the way in which the legal rights of an individual are protected in respect of their own personal data.
This policy is intended to outline how the Kedleston will utilise the personal data that is obtained and maintained in connection with the day to day running of the company, including the schools and homes that it operates. This includes data in respect of previous, current and future pupils, their parents, carers and guardians as well as staff and other internal and external stakeholders.
2. Data Controller
The role of the Data Controller is to determine how an individual’s personal data is processed and for what purpose it may be used. Under the new legislation the Data Controller is the Kedleston Group.
3. Data Protection Officer
The Data Controller will be guided and supported in discharging their responsibility by the Kedleston Data Protection Officer. This is a role shared by Tony Hurran (Group Finance Director) and Lee Reed (Chief Operating Officer). Their role is determine and agree what information may be shared and to ensure that it is processed in accordance with this policy and overall Data Protection Law, when the school receives a request or enquiry requesting information that includes personal data.
The Data Protection Officer is also required to ensure that personal data retained either corporately or by the schools or homes:
- Is stored securely
- Is processed in accordance with GDPR guidelines
- Is collected for legitimate purposes only
- Is current and appropriate
- Is necessary in order to support the placement
- Is retained for only as long as it is required
4. Retained Personal Data
The Kedleston Group retains personal data not only about the pupils and young people placed in our homes, but also about parents, carers and guardians. Additionally, personal data is retained in respect of staff and other internal and external stakeholders. Examples of the information held includes:
- Contact details (home and work), date of birth, information pertaining to GP, Dentist and other health and social care professionals.
- Safeguarding information (including previous history)
- Details pertaining to previous schools, placements, education and care interventions.
- Results of assessments, pupil progress, individual tests and results.
- Attendance register
- Where there is CCTV within the school then images may be captured and retained.
- Staff records (including previous references, performance, sickness data etc.)
*The above are examples and are not intended as an exhaustive list.
5. Day to Day use of data
Personal data is used on a day to day basis within the company for varying purposes. Examples may include, but are not limited to:
- To ensure the safeguarding and well-being of young people.
- As part of the referral and placement process communication between the school and LA
- To monitor and report on pupil progress.
- To comply with external requests for information such as the educational census
- Monitoring young people’s behaviour
- As part of internal Kedleston Group internal school reporting, monitoring and analysis.
- In exceptional circumstances sharing with Police in the event of a young person absconding from school.
- As part of acknowledging, celebrating and communicating events and achievements of the young people within the school.
- Providing information in support of a young person’s transfer to a new school.
- To provide references for new employers
- For disciplinary purposes
- In order to provide health and well-being support to staff.
- For performance management purposes.
6. Data Storage
The personal data collected is retained either on computer in various software programmes or in hard copy paper format.
Personal data is maintained whilst the young people, staff and other internal and external stakeholders are placed, reside, work or are contracted to undertake tasks on behalf of the Kedleston Group. There are certain legal requirements that require information to be maintained securely for defined periods of time once a pupil or young person in residential services has moved on. The same applies for staff and other internal and external stakeholders who are engaged to undertake work on behalf of the Kedleston Group. Details of these time requirements are available from the Kedleston Data Protection Officer.
7. Data Sharing
No personal data relating to a pupil, residential placement, member of staff or any other internal or external stakeholder is shared with any third party without explicit consent being provided unless required to do so under law.
Where there is a legal responsibility to share data, examples might be:
- The placing Local Authority and the Host Local Authority in which the school is located. This may be to meet legal obligations to share information for safeguarding purposes or for more general purposes such as invoicing.
- Examination bodies
- Professional registration bodies
- Regulator – Ofsted and HMI Inspection Team inspection teams.
- Families of the young people.
- Auditors / Professional Advisors working on behalf of the Kedleston Group.
- Police, Court or Tribunal Officials
From time to time a school may be required to provide information to the Department for Education in response to surveys or data collection projects that may lead to anonymised information being maintained on databases. Equally, as an employer Kedleston may be required to participate in surveys, census projects or be required to provide information to various government agencies.
8. The right of the individual
The introduction of GDPR expands the right of individuals to gain access to the information that the company retains about them. The information can be sought via a ‘subject access request’ application that should in the first instance be made to the Chief Operating Officer at the Kedleston Group.
A young person may make a request for disclosure of information relating to their own personal data and this will be provided, providing that the school is of the opinion that the young person is able to understand the information being provided.
A parent, carer or guardian can submit a ‘subject access request’ with respect of their child’s personal data in circumstances where it is determined that the young person is not considered able to understand and interpret the information requested.
A young person, may ask anybody on their behalf to make a ‘subject access request’ and this information should not be withheld without giving a full explanation.
Each ‘subject access request’ will be considered on a case by case basis.
It should be noted that parents, carers or guardians may make a ‘subject access request’ with respect to personal data held about them.
Equally, staff have the right to submit a ‘subject access request’ for the company to share any information held in respect of that employee. (see GDPR HR Privacy Statement)
9. What to expect from a ‘subject access request’.
In the event that a ‘subject access request’ is made then the company will
- Provide you with a clear description of the personal information that is held.
- Explain why the information is held, what it is used for and how long it will be retained in file.
- In the event that the information has been shared with a third party, who it has been shared with.
- Provide a copy of any information that has been provided, if requested.
10. Response time to a ‘subject access request’
The Kedleston Group undertake to ensure that any ‘subject access request’ is responded to within 1 month.
11. Is there a charge for a ‘subject access request’
There is no charge involved.
12. What if the personal data retained is incorrect?
In the event that it is found that personal data being retained is incorrect, then please notify the Chief Operating Officer immediately in order that the error can be corrected immediately.
13. Other rights
In addition to the ‘subject access request’ individuals also have several other rights as part of the implementation of GDPR. There are:
- Request that personal data is not used for direct marketing purposes.
- Withdraw consent to processing of personal data at any time (where consent is the lawful reason for processing)
- Request that incorrect personal data is rectified or erased.
- Object to the processing of data in certain circumstances.
- Challenge processing of data which has been justified on the basis of public interest.
- Prevent processing that is likely to cause damage or distress.
- Object to decisions based solely on automated decision making or profiling (decisions taken with no human involvement that might negatively impact upon them.
- Ask for personal data to be transferred to a third party in a structured, commonly used and machine-readable format (in certain circumstances)
- In certain circumstances be notified of a data breach.
- Make a complaint to the Information Commissioners Office (ICO)
The Kedleston Group seeks to ensure that it fully complies with GDPR. Any complaints concerning the collection and use of personal information should be addressed in the first instance to:
Lee Reed - Chief Operating Officer Tony Hurran - Finance Director
Kedleston Group Kedleston Group
Office 110, 1 Furzeground Way Office 110, 1 Furzeground Way
Stockley Park Stockley Park
UB11 1BD UB11 1BD
Tel No: 020 3823 3030 Tel No: 020 3823 3030
Alternatively, you can make a complaint to the Information Commissioner’s Office at
Information Commissioner’s Office
Tel No: 0303 123 1113
On line concern reporting: https://ico.org.uk/concerns
Here at Kedleston Group we recognise the importance of protecting your privacy. Please be assured that we follow a strict policy of not selling or trading any personal or sensitive information about our customers or prospective customers to any company, organisation or person outside of Wings School or our associated companies.
1. Personal Data and Data Protection
When you complete an online enquiry form we will retain the personal details that you give us ("the Data"). The Data is stored using appropriate safeguards to ensure security, integrity and privacy.
By entering your data in this site you will be deemed to have given us your permission to store the Data.
You are able to delete the Data from the site at any time by writing to us at: Kedleston Group Ltd. Office Suite One, Ansell Gardens, Holloway Lane, Harmondsworth, Middlesex, UB7 0AE
2. Technical Data
We may collect technical data about the type of internet browser and computer operating system that you use. This information does not identify you as an individual and is used only for tracking of site use.
The Kedleston Group may set and access first-party Cookies on your computer. These Cookies are integral to the services provided by the website to you. These Cookies, that may be placed on your computer, are detailed in Schedule 1 to this Policy.
You can choose to enable or disable Cookies in your web browser. By default, your browser will accept Cookies, however this can be altered. For further details please consult www.aboutcookies.org or the help menu in your browser. Please remember that disabling Cookies may prevent you from using the full range of Services available on the website.
You may delete Cookies, however you may lose any information that enables you to access the website more quickly.
The website also uses the third-party Cookies detailed in Schedule 2 to this Policy for the purposes described therein. These Cookies are not integral to the services provided by the website to you and may be blocked at your choosing via your internet browser's privacy settings, should you choose. Please ensure that your internet browser is up-to-date and consult the help and guidance provided in your browser if you are unsure as to how to adjust your privacy settings.
Schedule 1: First-Party Cookies
|Name of cookie||Purpose|
|ASP.NET_SessionId||The website makes use of a session cookie called ASP.NET_SessionID. This cookie is necessary for site functionality and is set even if you do not give your consent. It is held temporarily in memory and is deleted when the web browser is closed. This cookie contains no personally identifiable information.|
Schedule 2: Third-Party Cookies
|Name of cookie||Purpose|
|Google Analytics cookies
__utma __utmb __utmc __utmz
How to reject or delete these cookies: http://www.google.com/intl/en/privacypolicy.html