Statutory policy

GDPR & Privacy Notice

Document ref.
SSK-POL-06
Reviewed
[REQUIRES USER INPUT: review date]
Next review
[REQUIRES USER INPUT: next review date]
Approved by
Board of Directors

A note on this document: This policy is written in plain UK English wherever possible. If any term is unclear, please contact the office and we will explain in person, by telephone or in an Easy Read format. This page can be enlarged, made dyslexia-friendly, read aloud, or printed/saved as a PDF using the toolbar above.

1. Data controller

The data controller is Suffolk Sensory Kitchen, a company registered in England and Wales under company number [REQUIRES USER INPUT: Companies House number], registered with the Information Commissioner’s Office under registration number [REQUIRES USER INPUT: ICO number]. The named Data Protection Lead is the Director with responsibility for governance.

2. What personal data we process

We process the following categories of personal data:

  • Identification data - name, date of birth, sex, address, contact details of the young person and their parents or carers.
  • Education data - home school, year group, attendance history, EHCP, SEND status, teacher reports, exam history.
  • Health data (Special Category) - clinical diagnoses, medication, allergens, dietary requirements, sensory profile, GP details.
  • Safeguarding data (Special Category) - disclosures, chronology, multi-agency records, social care involvement, LADO records.
  • Operational data - attendance, regulation logs, session photographs (where consent is held).
  • Employment data (for staff) - DBS, references, qualifications, training history, payroll.
  • Referrer data - the name, role and contact details of the professional submitting the referral form on this website.

3. Why we process it

We process personal data to:

  • Provide the educational and pastoral service we are commissioned to provide.
  • Safeguard the young person and others.
  • Meet our statutory obligations to the home school, the local authority and the relevant inspectorate.
  • Manage and improve the Provision, including monitoring outcomes.
  • Comply with health and safety, food safety, employment and tax law.

4. Lawful bases

Our lawful bases under UK GDPR are:

  • Article 6(1)(c) - legal obligation, for safeguarding, attendance reporting, and health and safety duties.
  • Article 6(1)(e) - public task, where we are commissioned to deliver an educational service on behalf of a public authority.
  • Article 6(1)(b) - contract, where we hold a contract directly with a school or local authority.
  • Article 6(1)(a) - consent, for processing that is not covered by the above (e.g. taking and publishing photographs of cooking work).

For Special Category data - health, ethnicity, sex life and safeguarding - we additionally rely on:

  • Article 9(2)(b) - employment, social security and social protection law.
  • Article 9(2)(g) - substantial public interest, with the safeguarding condition in Schedule 1, Part 2, Paragraph 18 of the Data Protection Act 2018.
  • Article 9(2)(h) - health and social care.
  • Article 9(2)(c) - vital interests, in life-threatening situations where consent cannot be obtained.
  • Article 9(2)(a) - explicit consent, where the above do not apply.

5. Who we share with

We share personal data with:

  • The home school of a dual-registered student.
  • The commissioning local authority and its SEND team.
  • Suffolk Multi-Agency Safeguarding Hub (MASH) and other safeguarding partners, where threshold is met.
  • The Local Authority Designated Officer (LADO), where an allegation against staff requires.
  • Emergency services, where the immediate safety of an individual requires.
  • Clinical services involved in the young person’s care (with consent or under safeguarding bases).
  • Our regulated processors - IT and cloud hosting providers, all under UK GDPR-compliant data processing agreements.
  • Our insurers, auditors and external legal advisers, where strictly necessary.
  • HM Revenue & Customs and other regulators where required by law.

We do not sell personal data. We do not transfer personal data outside the UK, except where a processor’s sub-processing arrangement requires it; in such cases the transfer is governed by an International Data Transfer Agreement or UK Addendum, and a Transfer Risk Assessment is held on file.

6. Retention schedule

Retention is set with reference to the Information and Records Management Society (IRMS) toolkit for schools, the Limitation Act 1980 and the Independent Inquiry into Child Sexual Abuse (IICSA) recommendations on safeguarding records:

  • Safeguarding records - retained for at least the duration recommended by IICSA, currently a minimum of 75 years from the child’s date of birth.
  • Pupil placement file (non-safeguarding) - retained until the young person’s 25th birthday.
  • SEND records - retained until the young person’s 25th birthday plus six years.
  • Accident records - retained for at least three years from the date of the accident; longer for accidents involving a young person.
  • Allergen and dietary information - retained for the duration of placement plus six years.
  • Referral form data on website submission - retained for 12 months unless converted to a placement file, in which case the placement file retention applies.
  • Employment records - retained for six years following the end of employment, except DBS information which is destroyed within six months unless legitimately retained for a specific reason.
  • Financial records - retained for six years to meet HMRC obligations.

7. Security

Personal data is held on UK-region cloud infrastructure (provider: [REQUIRES USER INPUT: hosting provider name]) with encryption at rest and in transit. Access is controlled by least-privilege role-based permissions, multi-factor authentication, and quarterly access reviews. Paper records, where they exist, are stored in locked filing cabinets within a locked office. All staff complete annual data protection training. Mobile devices are managed under a written acceptable use policy and are encrypted.

8. Your rights

Under UK GDPR you have, subject to certain conditions, the right to:

  • Be informed about how your personal data is used.
  • Access the personal data we hold about you (a Subject Access Request).
  • Have inaccurate personal data corrected.
  • Have your data erased, where retention is no longer lawful.
  • Restrict the processing of your data.
  • Object to processing, including to processing for direct marketing (we do not do direct marketing).
  • Data portability, where the processing is by automated means under consent or contract.
  • Withdraw consent, where consent is the lawful basis.
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we do not operate any such automated decision-making).

9. Subject Access Requests

Subject Access Requests should be sent in writing to the Data Protection Lead at [REQUIRES USER INPUT: dpo@... email]. We will acknowledge within three working days. We will respond within one calendar month of receipt, with an extension of up to two further months where the request is complex, and we will tell you within the first month if we are exercising that extension. Where the request is made by or about a young person under 18, we consider competence on a case-by-case basis (Gillick competency).

10. Cookies

This website uses a minimal number of cookies, all of which are strictly necessary for the operation of the website. We do not use behavioural tracking cookies, advertising cookies or third-party analytics that profile visitors. Where any future analytics provider is engaged, this notice will be updated and a banner consent mechanism added.

11. Children & capacity

The young people we work with are all under 18. For most data protection purposes, the relevant authority to consent on behalf of a child sits with the parent or carer with parental responsibility, although the child’s own views are sought and weighted by competence and age. Photographic consent is renewed annually.

12. Data Protection Impact Assessments & breach

Before any new processing activity that is likely to result in a high risk to individual rights and freedoms, we complete a Data Protection Impact Assessment (DPIA). Personal data breaches are recorded in a Breach Register and reported to the Information Commissioner’s Office within 72 hours of becoming aware, where the breach is likely to result in a risk to individuals. Where the breach is likely to result in a high risk, we also notify the affected individuals without undue delay.

13. Contact & complaint

To exercise your rights, raise a question or make a complaint about how we handle personal data, contact the Data Protection Lead at [REQUIRES USER INPUT: dpo@... email]. You also have the right to complain to the Information Commissioner’s Office at ico.org.uk. We would, however, appreciate the opportunity to address your concern first.

Editing this policy: The full text of every policy lives in /app/policies/*/page.tsx and supporting copy lives in /content. The named author and approving director should re-date the document at every review.