Children and Young People Services (CYP) privacy notice

Download the Children and Young People's (CYP) privacy notice in a different language.

The Children and Young People’s service (CYP) is responsible for providing services to children and young people in Suffolk; this includes Family Support (formally known as Early Help), Social Care and services relating to Education, Skills, Youth Justice, and Early Years services. On occasions we may need to collect and use personal data in order to fulfil these duties.

The processing of personal data is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), collectively referred to as data protection law.

This privacy notice explains how CYP uses information about you when you contact us or use our services, and how we protect your privacy.

Suffolk County Council is the controller for the personal information that is being processed.  If you have any queries about how CYP is collecting or using your personal data, you can contact the service at:

cyp.dataprotection@suffolk.gov.uk

Contact details for the council’s Data Protection Officer and Compliance Manager can be found in the council’s corporate privacy notice, which is available on the council’s website.

Personal data includes information about you, which can be used to identify you as an individual.  Examples include:

• Your name
• Your date of birth
• Your contact details
• Your image

Special category data is the most sensitive type of personal data and includes:

• Information about your health or any social care services that you may use
• Information that could identify your racial or ethnic origins
• Information that could identify your political beliefs
• Information that could identify your religious or philosophical beliefs
• Information that could identify your trade union membership
• Genetic data
• Biometric data (where used to identify you, e.g. use of fingerprints to access online services)
• Information about your sex life, or sexual orientation

In order to provide services, we collect the following personal data from you:

• Name
• Contact details including email address and telephone number
• Your date of birth
• Any other personal information that you provide that is relevant to your contact

We sometimes need to collect the following information from other sources including:

• Your health records
• Information about your eligibility to work with vulnerable groups of people (such as DBS and Police National Computer (PNC) checks and checks with the Local Authority Designated Officer (LADO) )
• Information relating to education
• Ethnic group, home circumstances, language, and health information
• National Curriculum assessment results
• School attendance/ exclusion information
• Details of any special educational needs for young people
• Relevant medical information for young people/ parents/ carers – only where appropriate e.g. special educational needs or disability
• Physical or mental health
• Any additional personal information that is necessary to provide you with the correct service
  • In some circumstances this may require us to hold information on adults within the family
  • We may, in some circumstances, also check what previous services have been offered to you and your family

Children and Young People’s services provides the following (non-exhaustive list of) services:

Early Years and Childcare

• Leading, managing, and developing Early Years and Childcare services
• Planning, reviewing, and organisation early years places, childcare places, and school places
• Identifying those children eligible for funded early years education, and informing parents of their entitlement to funded childcare
• Administration and payment of early education funding to all childcare providers

Education, Skills and Learning

• Provision of education within schools
• Services to schools to promote high standards – including training, advice, monitoring, and support
• Provision of educational support services
• Provision of education for children in care
• Providing information to schools regarding licences (such as Performance licences)
• Admissions to school
• School travel
• Free school meals eligibility
• Provision of careers and Post-16 education
• Post-16 skills opportunities

Inclusion Service

• Provision for Children & Young People with Specialist Educational Needs & Disabilities.
• Delivery of statutory duties for EHC Needs Assessment, Annual Reviews and EHC Plans.
• Strategic oversight with partners in the Local Area including coproduction.
• Quality assurance of providers and internal processes.
• Specialist services for children and families who may be vulnerable or have higher levels of needs. This includes Special Educational Needs and/or Disabilities and those with medical needs.
• Commissioning and contract management of specialist provision for children in Suffolk.
• Admissions to specialist and Alternative Provision.
• Manage Short Break Offer.
• Support for CYP for Emotional Wellbeing, behaviour and learning across Suffolk.

Social Care services

• Provision of social care services for vulnerable children and young people, and their families
• Fostering and adoption services
• Safeguarding services
• Specialist services for children and families who may be vulnerable or have higher levels of needs. This includes Special Educational Needs and/or Disabilities, young people who have offended, or are at risk of offending, or being involved in anti-social behaviour
• Services for young people at risk from gangs, County Lines activity or radicalisation
• Services that support Children in Care and Care Leavers
• Residential Care Provision

Enhanced and preventative services

• Universal services
• Family Support (formally known as Early Help) Services, including the CHRIS service and Key Worker Services
• Community Nursing
• Family Support
• Attendance support for young people at risk, or not in education, employment or training (NEET)

Management information

• Planning and performance of CYP
• Managing fully integrated information systems supporting CYP
• Collecting, processing, and administering statutory data – including census returns and end-of-key-stage assessments
• Overseeing services provide by CYP, including SENDIASS and Safeguarding

Working with other organisations to support the health and wellbeing of children and young people, including the commissioning of services to enable us to do this

We collect and use information about young people and families to enable CYP to provide the above services and  to ensure we carry out specific functions for which we are responsible. These functions include:

• providing appropriate support and care to young people and families
• collating statistics which inform decisions such as
  • funding
  • provision of services
  • admissions to schools
  • exclusions from schools
  • assess performance and set targets to maintained schools
  • audit how well our services are meeting the needs of young people and families
  • assess levels of funding required, such as
    • free school meals
    • early years funding
    • promote welfare, safeguarding, health and wellbeing for young people
    • assess how well Children’s Services is performing
    • assess and improve finance and individual service planning
    • monitoring of ethnicity and disability
    • delivery of services and support to you
    • managing our services
    • training workers
    • investigating complaints about our services
    • monitoring and protecting public spending
    • helping us to improve and plan new services
    • complying with laws that require us to provide personal information to other organisations, such as health organisations, government departments, and courts

Personal data

Under data protection law, Children & Young People’s services (CYP) can only process your personal data if it is lawful to do so.  Please see the details below of the lawful bases that we rely on for processing different types of personal data.

For processing personal data, we rely on the following lawful basis(es):

• UK GDPR Article 6(1)(e) – where processing is necessary for us to perform a task which is in the public interest (public task)

Special category data

When we process special category data, we rely on the following additional lawful basis(es): (delete all that do not apply)

• UK GDPR Article 9(2)(b) –  where processing is necessary for CYP to carry out specific obligations or exercise rights relating to employment, social security, and social protection (Schedule 1, Part 1, section 1, DPA 2018)

• UK GDPR Article 9(2)(f) – where processing is necessary to establish, carry out or defend legal claims

• UK GDPR Article 9(2)(g) – where processing is necessary for reasons of substantial public interest, specifically:

• for statutory and government purposes (Schedule 1, Part 2, section 6, DPA 2018)

• for monitoring of equal opportunities and treatment (Schedule 1, Part 2, section 8, DPA 2018) – note this will only apply where specific special cat. Data (health, sexual orientation, and religious or philosophical beliefs) is being processed to enable equality of opportunity or treatment to groups of people in relation to the category of data

• for preventing or detecting unlawful acts (Schedule 1, Part 2, section 10, DPA 2018)

• to protect the public against dishonesty (Schedule 1, Part 2, section 11, DPA 2018)

• for preventing fraud (Schedule 1, Part 2, section 14, DPA 2018)

• for the safeguarding of children and of individuals at risk (Schedule 1, Part 2, section 18, DPA 2018)

• UK GDPR Article 9(2)(h) – where processing is necessary for the provision of health and/or social care purposes (Schedule 1, Part 1, section 2, DPA 2018)

• UK GDPR Article 9(2)(j) – where processing is necessary for archiving, research or statistical purposes that are in the public interest (Schedule 1, Part 1, section 4, DPA 2018)

Criminal offence data – general processing

CYP also processes criminal offence data which may include:

• Information about any criminal record or criminal history
• Allegations of criminal behaviour, including unproven allegations
• Absences of convictions, for example the results of DBS checks, or Police National Computer checks
• Personal data of victims and/or witnesses
• Personal data about criminal penalties that may have been awarded

In addition to the lawful bases that we have identified under “Personal data” above, we process criminal offence data under the following condition(s) of Schedule 1 of the DPA 2018:

• where processing is necessary to carry out specific obligations or exercise rights relating to employment, social security, and social protection (Schedule 1, Part 1, section 1, DPA 2018)

• where processing is necessary for the provision of health and/or social care purposes (Schedule 1, Part 1, section 2, DPA 2018)
• where processing is necessary for archiving, research or statistical purposes that are in the public interest (Schedule 1, Part 1, section 4, DPA 2018)
• where processing is necessary for statutory and government purposes (Schedule 1, Part 2, section 6, DPA 2018)
• where processing is necessary for regulatory requirements relating to unlawful acts and dishonesty (Schedule 1, Part 2, section 12, DPA 2018)
• where processing is necessary for preventing fraud (Schedule 1, Part 2, section 14, DPA 2018)
• where processing is necessary for the provision of counselling (Schedule 1, Part 2, section 17, DPA 2018)
• where processing is necessary for the safeguarding of children and individuals at risk (Schedule 1, Part 2, section 18, DPA 2018)
  • where processing is necessary for disclosing information to elected representatives (Schedule 1, Part 2, section 24, DPA 2018) - where information is shared with councillors on their request and where they are acting on behalf of a constituent
  • where processing is necessary for legal claims (Schedule 1, Part 3, section 33, DPA 2018)

Law enforcement purposes

CYP is a competent authority for the purposes of Part 3 of the DPA 2018 and we process personal data so that we can prevent, investigate, and prosecute criminal activities, or exercise criminal penalties

This means that we can process personal data for law enforcement purposes when there is a basis in law for personal data to be processed and:

• When processing is necessary to enable us to perform a task that is being carried out for law enforcement purposes

In addition to the above, we undertake sensitive processing for law enforcement purposes when:

• When processing is strictly necessary and cannot be achieved in any other way and meets the following conditions from Schedule 8 of the DPA 2018: (delete any that do not apply)

• Where processing is necessary for statutory purposes (Schedule 8, section 1, DPA 2018)
• Where processing is necessary to establish, carry out or defend legal claims (Schedule 8, section 6, DPA 2018)
• Where processing is necessary to prevent fraud (Schedule 8, section 8, DPA 2018)
• Where processing is necessary archiving, research or statistical purposes (Schedule 8, section 9, DPA 2018)

Children & Young People’s services does share information with the following recipients in situations where information is requested by other organisations in order to provide you with the correct service:

• The Department for Education (DfE) on a statutory basis under the Education Regulations 2013
• Public agencies such as the NHS (e.g. GPs), health organisations, the police
• HM Courts and Tribunals Services (HMCTS)
• Other government departments such as the Home Office and the Department for Work and Pensions
• Services we commission (such as health, care, and specialist services)
• Education providers (such as maintained schools, academies, and free schools)
• Organisations seeking to prevent the radicalisation of young people (such as Channel, and Prevent)
• Information gained from a third-party organisation (such as a voluntary organisation or the police) for safeguarding and wellbeing purposes
• Information where there are risks around Criminal Sexual Exploitation (CSE)
• Organisations seeking to prevent crime (such as the police, and the National Crime Agency)
• The Children and Family Court Advisory and Support Service (CAFCASS)
  • Information shared with commissioned accommodation providers for 16+ accommodation when placing a care leaver with them
  • Information shared with providers of residential care settings when placing children in care

We do not transfer any personal data to any countries or international organisations outside of the EU, the EEA (European Economic Area), or any other country that does not have an equivalent level of data protection to the UK.

Data is only held for the minimum period required by CYP to undertake its legal responsibilities. Often, these retention periods are set out by law.

At the end of its retention period, data is reviewed, leading to one of the following outcomes:

• secure destruction – the data is no longer required
• review/keep – the data is required for a further period, and this period is documented
• archive – some or all of the data may be retained by the Suffolk Archives for archiving, research, or historical purposes

Retention periods follow nationally agreed standards, but some retention periods have been amended locally to enable the Council to comply with obligations under law. Further details regarding retention period can be obtained by contacting cyp.dataprotection@suffolk.gov.uk

CYP does not use automated decision-making processes or profiling in respect of your information.

Under data protection law, you have the right to request access to the information that we hold about you.  If you would like to make a request to access your personal information, please contact data.protection@suffolk.gov.uk.

You also have other rights regarding your personal data.  You can find out more information about these rights by looking at the council’s corporate privacy notice.

If you would like independent advice on this privacy notice or other matters about how Suffolk County Council processes your personal data, including how to make a complaint, you can contact the Information Commissioner's Office at:

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113

Email: casework@ico.org.uk