SWRAC Data Protection (GDPR) Policy
1. Purpose
This policy sets out how SWRAC collects, stores, processes, and shares personal data in line with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
We are committed to protecting the privacy and rights of learners, parents/carers, staff, and other stakeholders while fulfilling our statutory and contractual obligations, including those with the Department for Education (DfE).
2. Scope
This policy applies to:
– All learners, parents/carers, staff, contractors, and volunteers of SWRAC.
– All personal data collected and processed by SWRAC, whether in paper or electronic form.
3. Lawful Basis for Processing
We process personal data under the following lawful bases:
– Public task / Legal obligation – to meet our statutory duties, including the Individualised Learner Record (ILR) required by the Department for Education.
– Vital interests – to maintain contact details of parents/carers for emergency purposes and to share safeguarding information where necessary.
– Consent – where we request and rely upon consent for specific processing not covered by legal/statutory duties.
– Legitimate interests – to share learner data with next education or training providers to support transition.
4. Types of Personal Data Collected
SWRAC may collect and process the following categories of data:
– Learner data: name, date of birth, contact details, education records, attendance, progress reports, safeguarding records.
– Parent/carer contact details: name, relationship to learner, contact information.
– Sensitive personal data (special category data): health/medical needs, ethnicity, learning support needs, safeguarding information.
5. Data Sharing
We only share personal data where it is lawful and necessary:
– With the Department for Education (DfE) through the ILR.
– With parents/carers in appropriate circumstances.
– With safeguarding partners (such as local authorities, police, health services, or safeguarding boards) when required to protect the welfare of a learner.
– With next education or training establishments to ensure smooth learner transition.
We do not sell or transfer data to third parties for marketing or unrelated purposes.
6. Data Retention
In line with our contractual obligations with the Department for Education, personal data will be retained for up to 6 years after a learner leaves SWRAC.
After this time, data will be securely destroyed.
7. Data Security
SWRAC protects personal data through:
– Secure IT systems with multi-factor authentication, monitoring, and filtering.
– Cyber Essentials certification as recognition of good practice in cyber security.
– Physical security for paper records, including locked storage and restricted access.
– Staff training and awareness on data protection responsibilities.
8. Rights of Data Subjects
Individuals have the following rights under the GDPR:
– The right to be informed about how their data is used.
– The right of access to their data.
– The right to rectification of inaccurate data.
– The right to erasure (where applicable).
– The right to restrict or object to processing (where applicable).
– The right to data portability (where applicable).
Requests to exercise these rights should be made in writing to the Data Protection Officer (DPO).
9. Data Breaches
Any suspected data breach will be reported immediately to the Data Protection Officer. Where required, breaches will be reported to the Information Commissioner’s Office (ICO) within 72 hours and to affected individuals without undue delay.
10. Roles and Responsibilities
– Governing Body / Senior Leadership: overall responsibility for compliance.
– Data Protection Officer (DPO): oversees data protection strategy, advises on compliance, and acts as point of contact with the ICO.
– All staff: must follow this policy and complete relevant training.
11. Contact
For questions about this policy or to exercise data rights, please contact:
Data Protection Officer
SWRAC
Adrian Gunner
adriangunner@swrac.ac.uk
01202 848099
Appendix A: SWRAC Privacy Notice for Learners and Parents/Carers
Policy Number: SWRAC 44
Why we collect information
SWRAC needs to collect and use personal information about our learners and their parents/carers. We do this to provide education, keep everyone safe, and meet our legal duties with the Department for Education (DfE).
What information we collect
We may collect:
– Personal details (name, address, contact information, date of birth)
– Learning records (attendance, progress, assessments)
– Parent/carer contact details (for emergencies)
– Health or support needs (where necessary for your education and safety)
– Safeguarding information (if needed to keep learners safe)
How we use your information
We use information to:
– Provide education and support
– Keep learners safe and well
– Contact parents/carers in emergencies
– Report to the Department for Education (DfE)
– Share with the next school, college, or training provider when learners move on
Who we share with
We only share information when it is lawful and necessary, for example:
– Department for Education (DfE)
– Parents/carers
– Safeguarding organisations (local authority, police, health services)
– Next education or training providers
We never sell personal data or share it for marketing purposes.
How long we keep information
We keep personal data for up to 6 years after a learner leaves SWRAC, as required by our contract with the Department for Education. After this, it is securely destroyed.
How we keep information safe
We use secure computer systems with strong protections, including multi-factor authentication and Cyber Essentials certification. Paper records are stored safely. Staff are trained to handle information carefully.
Your rights
Learners and parents/carers have rights under data protection law, including the right to:
– See the information we hold about you
– Ask us to correct anything that is wrong
– Ask us to delete or limit the use of your information (where the law allows)
– Complain if you are unhappy with how we use your data
Contact us
If you have any questions or want to use your data rights, please contact:
Data Protection Officer
SWRAC
Adrian Gunner
adriangunner@swrac.ac.uk
01202 848099
Use of Cookies by SWRAC Website
A cookie is a small data file that a website transfers to a user’s device when they visit particular websites. The only personal information a cookie can contain is that which a user willingly supplies. A cookie cannot read any other data from a device or read cookie data created by other websites.
SWRAC only use cookies to monitor visitor numbers and gather anonymous statistics about our website using Google Analytics. The Google Analytics cookies are used to collect information about how visitors use our website, including the number of visitors to the site, where vistors have come to the website from and the pages they have visited. We use this information to compile reports and to help us improve the site.
All of the Google Analytics data collected by SWRAC is anonymous. The data is automatically anonymised using the ‘anonymize_ip’ setting within Google Analytics which removes any personal identification based on your IP address.
For more information you can read an overview of Google Analytics privacy.