Skip to the content
24-hour Referral Line: 0800 304 7244
Accessibility
24-hour Referral Line: 0800 304 7244

Young Person Privacy Notice

This notice is intended to provide information about how The Witherslack Group will use (or "process") personal data about Young Person.

This Privacy Policy applies alongside any other information our sites’ (Schools and/ or Children’ s Homes) may provide about a particular use of personal data, for example when collecting data via an online or paper form or when signing in as visitors. Recruitment and job applicant privacy notices are available on the WorkDay managed site where the relevant data is manged ( our recruitment partner). These are available on request as well. Please contact the Data Protection Team – dataprotection@herslackgroup.co.uk

This Privacy Policy also applies in addition to our sites’ ( Schools and/ or Children’ s Homes) other relevant terms and conditions and policies, including:

  • Data Retention Policy
  • Child Protection and Safeguarding Policies
  • Health and Safety Policy
  • Data Protection policy including, Bring Your Own Device (BYOD)
  • Cookie Policy ( see on-line cookie policy on Witherslack Group website)
  • Safeguarding, pastoral, or health and safety policies, including as to how concerns or incidents are recorded; and
  • IT policies, including its E-Safety Policy, Acceptable Use Policies.

For ease of reference and understanding we have produced different Privacy Notices for the key different categories of individuals we deal with.

How we use your information

This document is split into the following headings Who are we Why do we collect and use your information Categories of young people’ s Personal information that we collect, hold and share include Collecting young people’ s information Storing young people’ s information Who do we share young people’ s information with Why we share young people’ s information Your Rights Queries and complaints

Who we are

In this policy, whenever you see the words (‘ We’, ‘ Us’ or ‘Our’), it refers to Witherslack Group, Lupton Tower, Lupton, Cumbria, LA6 2PR. Registered with the Information Commissionaires Office (ICO) in England Company No: Z3410582. For the purposes of UK Data Protection Law, We are a data controller in respect of the personal information that We collect and process about you as described in this privacy notice. Witherslack Group provides inspirational education and care to children and young people, resulting in life changing experiences and countless stories of success.

We are a leading provider of specialist education and care for children and young people with social, emotional, and mental health needs, communication difficulties ( autistic spectrum conditions, Asperger’ s Syndrome, speech, language and communication needs) and complex learning needs.

Our focus on support, care and acceptance allows each young person to develop as an independent individual, equipped with the knowledge, experience and life skills to look to the future with increased confidence and aspiration.

Why do we collect and use young people’s information

We lawfully process your information in accordance with General Data Protection regulation (GDPR) Article 6 (a) (c) (e) (f)
We may process your personal data with your consent, authorised in Law, public task or for Our legitimate business interests. “ Legitimate Interests” means the interests of Our company in conducting and managing our business and providing you with the best care and education in the most secure way however when We process your personal data for Our legitimate business interests. We always ensure that We consider and balance any potential impact on you and your rights under data protection laws.

We do this;

  • for the purpose of placement selection,
  • provision of safe education and care,
  • to support young people’ s learning including but not limited to musical education, physical education, spiritual development, career services, trips, computer skills,
  • to monitor and report on young person’ s progress and attainment,
  • to provide pastoral care, to provide effective communication with parents/ carers,
  • to provide effective communication with local authorities,
  • for management and planning,
  • to assess the quality of our services,
  • to comply with the law regarding data collation and sharing,
  • to support you to decide what to do after you leave home or school.
  • To meet our safeguarding responsibilities dictated in statute.
  • Maintain the young person’ s EHCP.

Categories of a young person’s information that we collect, hold and share include:

We will only ever collect the information We need – including data that will be useful to help improve Our services.

We may collect and process the following data about you:

    • Personal information ( such as name, unique pupil number and emergency contact details and family background information – this will include parent/ carer contact details),
    • Education and attainment information,
    • Characteristics (such as ethnicity, language, nationality, country of birth, gender and religion)
    • Attendance information ( such as sessions attended, number of absences and absence reasons),
    • National curriculum assessment results,
      Special educational needs information,
    • Information necessary to keep you safe ( child protection and health and safety,)
    • Internet usage.
    • Images on sites with CCTV
    • Risk assessments.

Special Categories of personal data processed ( such as health processed through GDPR Article 9 (2)(a)(h)(f)(g). In summary this means that your personal data is used to support and protect you in your education and care. There will be occasion when your data is processed with your consent (or that of an appropriate adult representing you). Where this is the case you will have the right to change your mind.

There will also be cases when the processing is required to protect you and keep you safe from harm inclusive of physical, mental, and emotional harm. Where possible you will be informed of this processing but on occasion data may be processed/ shared with others to safeguard you or other young people, such as:

  • medical information from health service,
  • SEN details from Local authority,
  • Behavioural information
  • Special Educational needs information
  • Sexual orientation

Collecting a young person’s information

We may collect and process the following data about you from:

  • Yourself
  • the local Authority referral process,
  • information provided by you,
  • multi- agency meetings,
  • Information provided by parents/ carers, and family members.
  • CCTV ( visual and in limited cases audio),
  • photographs as part of learning programme and safeguarding.
  • Staff
  • Other professionals e.g. dentist doctor, clinical professionals.

As mentioned in our Data Protection Policy including Appendix - Our Bring Your Device Policy (BYOD) we also process data from details of your visits to our WIFI including but not limited to:

  • IP addresses (the location of the computer on the internet)
  • Pages accessed, and
  • Files downloaded
  • Cookies

In order to comply with current Data Protection Legislation and the UK General Data Protection Regulation, we will inform you whether you are required to provide information to us or if you have a choice in this. Whenever the processing of your personal data requires your consent then you will be given the opportunity to opt-in and then to opt-out if you so desire.

Storing a young person’s information

Information is stored by Us on computers located in the EEA. We may transfer the information to other reputable third - party organisations as explained below – they may be situated inside or outside the UK or European Economic Area however we will only share if they provide appropriate assurances as to security and management of the data. These assurances will include adequacy considerations or confirmation of appropriate safeguards inclusive of recognised Binding Corporate Rules (BCR) Contracts or Standard Contractual Clauses (SCC) being in force. We may also store information in paper files. We may also store information in paper files.

We have security protocols and policies in place to manage and record your data privacy and preferences correctly and that your data is stored securely to protect against its loss, misuse and alteration. Further information can be obtained on request from our Data Protection Officer who is contactable by emailing dataprotection@herslackgroup.co.uk.

We take steps to ensure that any organisations that we share your data with will have security protocols and policies in place to manage and record your data privacy and preferences correctly and that your data is stored correctly.

Unfortunately, the transmission of data across the internet is not completely secure and whilst we do our best to try to protect the security of your information we cannot ensure or guarantee that loss, misuse or alteration of data will not occur whilst data is being transferred. To further mitigate this risk all emails from the Witherslack Group, containing personal data, are sent encrypted.

We will keep your information only for as long as we need it to provide you with the services or information you have required, to administer your relationship with us, to comply with the law, or to ensure we do not communicate with people that have asked us not to. When we no longer need information, we will always dispose of it securely, using specialist companies if necessary to do this work for us. We maintain a retention schedule which is reviewed annually.

We keep information about you on computer systems and also sometimes on paper.

  • Current young people: information may be maintained on both computer and on paper. In both cases the information contained will be kept secure and will only be used for purposes directly relevant to that person’s education and care. Storage and transmissions are encrypted, and access controls are in place.
  • Young People who have left have their records archived in accordance with the requirements of our retention schedule. We will retain personal data securely and only in line with how long it is necessary to keep for a legitimate business need or in some cases to meet our legal obligations. In general, educational records are held until the young person is 32 years old. Files will be kept securely electronically and/ or in hard copy. Storage and transmissions are encrypted, and access controls are in place.
  • Where a young person moves school education and appropriately redacted safeguarding information is provided to the new school and then the files area archived in accordance with the requirements of our retention schedule. We will retain personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. In general education files are retained until the you are 32 years of age. Files will be kept securely electronically and/ or in hard copy.
  • All emails sent to us or from our staff are retained for a period of 3 months (in the case of some managers emails will be retained for a period of 12 months) with relevant information relating to young people transferred to the appropriate pupil record and retained in accordance with our retention schedule.

WG have a retention schedule within their policy documents. This will display the most up to date retention information available.

Who do we share a young person’s information with

We may share a young person’ s information with:

  • Schools or colleges that the young people attend after leaving us
  • The local authority and their commissioned providers of local authority services
  • The Department for Education (DfE)
  • The joint council for qualifications (JCQ)
  • Ofsted
  • regulatory Inspection visitors
  • Health and Safety Executive
  • Staff in homes and schools
  • Clinical Staff of WG and external Clinicians
  • Parents/carers
  • LADO
  • Police
  • WG Quality assurance visitors
  • Multi-agency forums (LAC and PEP)
  • External education providers
  • Online Teaching and Learning Resources
  • Extra-Curricular providers
  • Boxall Profile Online
  • Parent to Teacher Communications Tools
  • Edufocus Ltd (Evolve)
  • External apps and services supporting curriculum.

Why we share a young person’s information

Just like most other organisations, we work with third-party service providers which provide important functions to us that allow us to be easier, faster, and friendlier in the way we deliver our services. We need to disclose user data to them from time to time, as part of our legal obligations and legitimate business interests, so that the services can be delivered. An example of this would be the use of apps when delivering the education curriculum.

As previously highlighted, we do not share your information with anyone without your consent unless the law and our policies allow us to do so. We have robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. We will not share your data if you have advised us that you do not want it shared unless it is the only way we can make sure you stay safe and healthy, or we are legally required to do so.

Decisions on whether we release data to third parties are subject to a strict approval process and based on a detailed assessment of;

  • who is requesting the data,
  • the purpose for which it is required,
  • the level and sensitivity of data requested,
  • and o the arrangements in place to store and handle the data,
  • arrangements for return/ destruction,
  • ability to facilitate a subject access request.

Below are authorities under which we share your data and with whom we share.

Who we share with

Who we share with

Article 6 basis

Why we share

What is shared

Schools or colleges
that the young
people attend after
leaving us

In law.

To further the education provision for our young people.

Educational records.
The local authority
and their
commissioned providers of local
authority services		 In law. Provision of care and education for young people with SEN and Looked after Children.

Educational record, Education Health Care Plan, looked after Children notes, multi- agency forum notes, personal education plans.
The Department for Education (DfE) In law. Educational attainment policy and monitoring. The National Young People Database (NPD). Provision of young people record number.

gov.uk/education/data-collection-and-censuses-for-schools; name of young people.
The joint council for qualifications (JCQ) Legitimate business interest. Currently signed for on a JCQ consent form however the detail is provided to them by Us as a legitimate business interest. Attendance for the exam is consensual.

Name, date of birth, any health considerations to enable reasonable adjustments to take the exam.
OFSTED In law. Ensuring a monitored and accountable service provision is in place.

All relevant personal or sensitive information (restricted by purpose of visit to minimise data) reported upon anonymously.
Regulatory Inspection visitors In law. Ensuring a monitored and accountable service provision is in place. 

All data of residents and young peoples as deemed appropriate by the inspector.

Health and Safety
Executive

In law.

Safety in the workplace... Safety in the schools and homes. Consideration as to the level of safeguarding needed on each site
which is commensurate with the behavioural/risk posed.

Environmental information and personal information, behaviour, health.

Staff in homes and
schools

Legitimate business
interest.

Maintaining a safe environment for the provision of necessary
care and specialist education. Pastoral support and safeguarding.

Behaviour reports, personal contact details, multi-agency reports.

Clinical Staff of WG and external
Clinicians

Consent, legitimate
business interest.

Provision of support for Special Educational needs.

Personal data name, date of birth, family circumstances, behaviour, risk assessment,
EHCP, and health data.

Parents/carers

Legitimate
business
interest, in law.

To enable the provision of educational support at home. In general, We will assume that a young person’ s consent is not required for ordinary disclosure of their personal data to their parents, e.g. for the purposes of keeping parents informed about
the young person's activities, progress and behaviour, and in the interests of the young person' s welfare. That is unless, in The School or Home’ s opinion, there is a good reason to do otherwise.
However, where a young person seeks to raise concerns of confidentially with a member of staff and expressly withholds
their agreement to their personal data being disclosed to their parents, the School or Home may be under an obligation to maintain confidentiality unless, in
the School or Home’s opinion, there is a good reason to do otherwise, for example where The
School or Home believes disclosure will be in the best interests of the young person or other young people, or if required by law.

Ongoing reports and communication in relation
to behaviour and achievement.

LADO

In law.

Keeping Children safe in
education.

All relevant personal or sensitive information restricted by circumstance to minimise data).

Police

In law.

Keeping Children safe in
education.

All relevant personal or sensitive information restricted by circumstance to minimise data).

WG Quality assurance visitors

Legitimate business interest.

Ensuring that the service provision is of the highest standard and compliant with regulation/Law.

All relevant personal or sensitive information restricted by purpose of visit to minimise data) reported upon anonymously. 

Multi-agency forums (LAC and PEP)

In law.

Keeping Children safe in education.

All relevant personal or sensitive information restricted by circumstance to minimise data).

External education providers

Legitimate
business
interest.

Provision of external educational support to further develop the young person
Name, date of birth, address and potentially health data to support the learning plan. Online Teaching and Learning Resources Public interest Provision of educational
support to further develop our young people by means of
online teaching and learning resources including online assessment tools).

Name, date of birth, school attended, year group, potentially SEN, assessment, and attainment.

Extra-Curricular
providers

Legitimate
business
interest.

Provision of extra-curricular activities to further develop the educational provision
offered to our young people.

Name, date of birth, school attended, address, and potentially health data to support the SEN/SEMH.
Boxall Profile Online Legitimate
business
interest.		 Provision of clinical and  therapeutic support for Special Educational needs. Name, date of birth, Gender, SEMH, and Unique Pupil Number (UPN).
Parent to Teacher
Communications
Tools		 Legitimate
business
interest.		 Provision of home to school communications via use of online apps. Young person data: Name, school attended, year group.
Parent/Carer data: Name, address, email address, contact phone number.
Edufocus Ltd Evolve) In law (KCSiE) Risk assessment to ensure the health, safety and wellbeing of our young people whilst they participate in extracurricular activities. Name; Gender; school attended; Class name.
External apps and
services supporting
curriculum.		 Public task Additional resources to assist pupils with their education – logins required. Name, school year group

Your Rights

Under data protection Legislation you and in some cases your parent/ guardian have the right to request access to information about you that we hold. You should be aware that the right of access is limited to your own personal data, and certain data is exempt from the right of access. This will include information which identifies other individuals (and parents need to be aware this may include their own children, in certain limited situations), some safeguarding, or information which is subject to legal privilege ( for example legal advice given to or sought by Us, or documents prepared in connection with a legal action).

We are also not required or authorised to disclose any examination marks ahead of any ordinary publication.

Young people can make subject access requests for their own personal data, provided that, in our reasonable opinion, they have sufficient maturity to understand the request they are making. A young person of any age may ask a parent or other representative to make a subject access request on his/ her behalf. Indeed, while a person with parental responsibility will generally be entitled to make a subject access request on behalf of a young person, the law still considers the information in question to be the child’ s: for more mature young people, the parent making the request may need to evidence their child's consent or authority for the specific request.

The Witherslack Group believe that Young People aged 13 and above are generally assumed to have this level of maturity, although this will depend on both the child and the personal data requested, including any relevant circumstances at home. Slightly younger children may however be sufficiently mature to have a say in this decision, depending on the child and the circumstances The competence of the young person, to make the request, is discussed with all stakeholders before a decision is made.

All information requests from, on behalf of, or concerning young people – whether made under subject access or simply as an incidental request – will therefore be considered on a case- by-case basis.

You also have the right to:

  • Object to processing of personal data that is likely to cause, or is causing, damage or distress.
  • Prevent processing for the purpose of direct marketing.
  • Object to decisions being taken by automated means.
  • In certain circumstances, have inaccurate personal data rectified, blocked, erased, or destroyed; and
  • Claim compensation for damages caused by a breach of the Data Protection regulations.

If you wish to exercise any of these rights, please contact the Data Protection Officer.

  • by writing to the data protection officer at Witherslack Group, Lupton Tower, Carnforth, LA6 2PR,
  • by calling the data protection officer on 015395 66081,
  • by E-mailing the data protection officer on dataprotection@Witherslackgroup. co.uk; or by
  • speaking to any member of staff.

Queries and Complaints

If you believe that We have not complied with this policy or acted otherwise than in accordance with Data Protection Law, you should notify The Data Protection Officer on dataprotection@Witherslackgroup.co.uk.

You can also make a referral to or lodge a complaint with the Information Commissioner’ s Office (ICO), although the ICO recommends that steps are taken to resolve the matter with The Witherslack Group directly before involving the regulator.

For more information about your rights under the Data Protection Act contact the Information Commissioner’s Office - https:// ico.org.uk/.