Privacy Notice, Island Futures

Post 16: Why do we collect and use this information?

Isle of Wight Council is the organisation responsible for processing your information (the Data Controller). Our 'Island Futures' service collects and uses information from young people, parents/carers, schools/academies/colleges, private and voluntary organisations and health services in order to help young people to successfully take part in education, training and employment.

We collect information about young people, their parent/carers, alongside details around a young person’s school/academy/college or employer. We hold this personal data securely and use it to:

  • support young people and adults in Isle of Wight to successfully take part in education, training and employment;
  • secure sufficient suitable education and training provision for all young people on the Isle of Wight who are over compulsory school age but under 19 or aged 19 to 25 and for whom an Education, Health and Care (EHC) plan is maintained;
  • develop a strategic overview of the provision available in the Isle of Wight and to identify and resolve gaps in provision;
  • make available to all young people aged 13-19 and to those between 20 and 25 with special educational needs and disabilities (SEND), support that will encourage, enable or assist them to participate in education or training;
  • identify those who are not participating (known as NEETs) and give them support to re-engage
  • provide advice and guidance to employers and professionals;
  • complete statutory returns back to central government, such as the Department for Education (DfE);
  • undertake wider Council statutory duties in support of your child’s education and welfare; and
  • ensure compliance with our obligations under the accuracy principle of the General Data Protection Regulation (Article (5)(1)(d)), making sure our records about you and your family are up to date.

CAPITA plc is a data processor for this information acting on our instructions for the purpose of delivering a contract to the Council around the hosting and supporting of the CAPITA One system, which the Council uses to store the information provided to us, as identified under this privacy notice. This includes accessing the CAPITA One system to fix any technical issues to ensure the system is fit for use.

The following sections provide further detail around the information we process setting out what allows us to do this (lawful basis), who we may share it with, how long we keep it for (the retention period), alongside identifying any rights you may have and who to contact if you think we’re not handling your information in the right way.

The categories of information that we collect, hold and share

The following personal and special category information is processed:

  • the young person’s personal information (name, address, date of birth, school);
  • information about the young person’s characteristics (such as gender, religion, ethnicity, SEN status, looked after status);
  • the young person’s guidance notes and action plans (such as career choice, exam results);
  • the young person’s destination data (such as name of college, apprenticeship/traineeship provider, course name, course level); and
  • personal information about the young person’s parent/carer (name and address, telephone number, email address).

The lawful basis on which we use this information

We collect and use the information ensuring that we comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018) requirements for processing through:

  • Article 6(1)(e) - the processing is necessary to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law;
  • Article 9(2) (g) – Necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures; and
  • Sch.1, Pt.2, 1 - Substantial public interest conditions, for processing under the DPA2018.

These articles under the GDPR and the DPA2018 are supported by the following specific legislation:

  • Sections 15ZA and 18A of the Education Act 1996; and
  • Sections 10, 12, 18 and 68 Education and Skills Act 2008.

Under this lawful basis we do not require your consent to process this information but we are required, through this privacy notice, to ensure you are fully informed of why we are collecting this information and what we will do with it.

Please note that no automated decision making (decisions taken without a person involved) occurs for any parts of these activities controlled by the Council.  The Council does use profiling as part of the service based on classification groups set out in statutory guidance.

Storing and Securing Data

The information provided to us will be held within the Council’s CAPITA One system. The information held within CAPITA One will be kept in line with our retention schedule i.e. Until the young person reaches the age of 25 and then disposed of as appropriate. The Council’s CAPITA One system is hosted by CAPITA plc in secure data centres based in the UK. No information leaves the European Economic Area (EEA) and the information is encrypted when in transit between Council users of the system and the data centre the information is hosted within.

Forms sent electronically (paper forms will be scanned to create an electronic record) will be stored within the Council’s Document Management System (DMS), with any paper versions being destroyed. The file will be linked to the record created in CAPITA One by the use of a reference identifier. The information held within the Council’s DMS will be kept in line with our retention schedule and then deleted as appropriate. The Council’s DMS is hosted by the Council in secure UK based data centres, which are on site. No information leaves the European Economic Area (EEA).

Isle of Wight Council takes its data security responsibilities seriously and has policies and procedures in place to ensure the personal data held is:

  • prevented from being accidentally or deliberately compromised; accessed, altered, disclosed or deleted only by those authorised to do so;
  • accurate and complete in relation to why we are processing it;
  • continually accessible and usable with daily backups; and
  • protected by levels of security ‘appropriate’ to the risks presented by our processing.

The Council also ensures its IT Department is assessed to the internationally recognised standard for information security management, ISO27001.

Who do we share information with?

We do not share information with anyone unless there is a lawful basis that allows us to do so.

Sections 14-17 of Education and Skills Act 2008 provide data sharing powers to encourage local authorities to promote effective participation.  As part of this activity, we share information with educational establishments and service providers, who are offering support with the Council, to young people classed as NEET with the purpose that it will encourage, enable or assist them to participate in education or training.

We are required by law to share information with the DfE through the submission of statutory returns. This data sharing underpins funding and educational attainment policy and monitoring. Please visit the DfE to find out more about the data collection requirements placed on us and the pupil information we share with the DfE for the purpose of data collections.

Depending on the individual circumstances of each situation, we may have to share this information with other teams within the County Council to fulfil other statutory duties and powers to support our work. These teams might include our Children Missing Education (for ensuring the provision of full time education); Virtual School (for support of children looked after); and/or Social Care teams (supporting welfare, safeguarding and corporate parent functions).

Requesting access to your personal data and your rights

Under data protection legislation, individuals have the right to request access to information about them that we hold. To make a request for your personal information, or someone you have responsibility for, please contact the Corporate Information Unit by email to information@iow.gov.uk. Read more information about this process.  

You also have the right to:

  • prevent processing for the purpose of direct marketing;
  • object to decisions being taken by solely automated means;
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • claim compensation for damages caused by a breach of the Data Protection regulations.

Please note that under the GDPR, there is also a right to erasure but the right to erasure does not provide an absolute ‘right to be forgotten’. Where the data being processed is for the purpose of ‘performing a task in the public interest or for our official functions, and the task or function has a clear basis in law’ (Article 6(1)(e))’, this right does not automatically apply.

If you have a concern about the way we are collecting or using your personal data, you can raise your concern with us in the first instance or you can go directly to the Information Commissioner's Office, as the supervisory authority. 

Contact Details

The Isle of Wight Council’s Data Protection Officer can be contacted by email: dpo@iow.gov.uk.

For further information on how we handle personal information, your data rights, how to raise a concern about the way we are processing your information and the County Council’s Data Protection Officer, please see our General Privacy Notice.

Careers and Employability Service: Why do we collect and use this information?

Isle of Wight Council is the organisation responsible for processing your information (the Data Controller). Our ‘Island Futures’ Careers and Employability Service collects and uses information from your pupils and your school in order to help young people in your school to maximise their progression opportunities.

We collect information about your child, you as their parent/carer, alongside details around their school/academy/college or employer. We hold this personal data and wider information securely and use it to deliver this sold service to:

  • provide face-to-face careers advice;
  • deliver group sessions covering areas such as decision making, Post-14, 16 and 18 choices, employability and apprenticeships;
  • supply work related learning and enterprise activities;
  • arrange work experience placements
  • provide support to education providers for developing and improving careers education programmes;
  • offer professional development support for school/college based careers staff;
  • provide input at parents evenings, results days and other events;
  • provide access to online resources;
  • produce post-16 destination reporting;
  • create tailored NEET (Not in Employment, Education or Training) prevention programmes to meet the needs of individuals or groups who are at risk of disengaging or becoming NEET; and
  • ensure compliance with our obligations under the accuracy principle of the General Data Protection Regulation (Article (5)(1)(d)), making sure our records about you and your family are up to date.

CAPITA plc is a data processor for this information acting on our instructions for the purpose of delivering a contract to the Council around the hosting and supporting of the CAPITA One system, which the Council uses to store the information provided to us, as identified under this privacy notice. This includes accessing the CAPITA One system to fix any technical issues to ensure the system is fit for use.

The following sections provide further detail around the information we process setting out what allows us to do this (lawful basis), who we may share it with, how long we keep it for (the retention period), alongside identifying any rights you may have and who to contact if you think we’re not handling your information in the right way.

The categories of information that we collect, hold and share

The following personal and special category information is processed:

  • your pupil’s personal information (name, address, date of birth);
  • information about your pupil’s characteristics (such as gender, ethnicity, SEN status, looked after status);
  • your staff’s personal information (name and address, contact number, email address);
  • your pupils guidance notes and action plans (such as content including career choice and exam results); and
  • your pupil’s destination data (such as name of establishment, Apprenticeship/Traineeship provider, course name and level).

The lawful basis on which we use this information

We collect and use the information ensuring that we comply with the General Data Protection Regulation (GDPR) requirements for processing through:

  • Article 6(1)(a) Consent - the individual has given clear consent for you to process their personal data for a specific purpose;
  • Article 9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law; and
  • Sch.1, Pt.4, 1 - Appropriate policy document and additional safeguards condition, for processing under the Data Protection Act 2018.

Please note that no automated decision making (decisions taken without a person involved) occurs for any parts of these activities controlled by the Council. The Council does not use profiling as part of the service.

Storing and Securing Data

The information provided to us will be held within the Council’s CAPITA One system. The information held within CAPITA One will be kept in line with our retention schedule and then disposed of as appropriate. The Council’s CAPITA One system is hosted by CAPITA plc in secure data centres based in the UK. No information leaves the European Economic Area (EEA) and the information is encrypted when in transit between Council users of the system and the data centre the information is hosted within. Forms sent electronically (paper forms will be scanned to create an electronic record) will be stored within the Council’s Document Management System (DMS), with any paper versions being destroyed. The file will be linked to the record created in CAPITA One by the use of a reference identifier. The information held within the Council’s DMS will be kept in line with our retention schedule and then deleted as appropriate. The Council’s DMS is hosted by the Council in secure UK based data centres, which are on site. No information leaves the European Economic Area (EEA). The Council takes its data security responsibilities seriously and has policies and procedures in place to ensure the personal data held is:

  • prevented from being accidentally or deliberately compromised;
  • accessed, altered, disclosed or deleted only by those authorised to do so;
  • accurate and complete in relation to why we are processing it;
  • continually accessible and usable with daily backups; and
  • protected by levels of security ‘appropriate’ to the risks presented by our processing.

The Council also ensures its IT Department is assessed to the internationally recognised standard for information security management, ISO27001.

Who do we share information with?

We do not share information with anyone unless there is a lawful basis that allows us to do so.

Depending on the individual circumstances of each situation, we may have to share this information with other teams within the Council to fulfil other duties and powers to support our work. These might include our Children Missing Education (for ensuring the provision of full-time education); Virtual School (for support of children looked after); and/or Social Care teams (supporting welfare, safeguarding and corporate parent functions). We may also share information through the Council’s role in the Hampshire Safeguarding Children Partnership (HSCP) to comply with their statutory duties.

Requesting access to your personal data and your rights

Under data protection legislation, individuals have the right to request access to information about them that we hold. To make a request for your personal information, or someone you have responsibility for, please contact the Corporate Information Unit 

You also have the right to:

  • withdraw your consent;
  • prevent processing for the purpose of direct marketing;
  • object to decisions being taken by solely automated means;
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • claim compensation for damages caused by a breach of the Data Protection regulations.

If you have a concern about the way we are collecting or using your personal data, you can raise your concern with us in the first instance or you can go directly to the Information Commissioner's Office as the supervisory authority.

The Isle of Wight Council's Data Protection Officer can be contacted on dpo@iow.gov.uk

For further information on how we handle personal information, your data rights, how to raise a concern about the way we are processing your information and the Council’s Data Protection Officer, please see our General Privacy Notice.