The Becklands School (VCare Group) Privacy Policy
Last Updated 10/07/2026
| Version | Date | Changes | Reviewed By |
| 1.0 | 05/05/2022 | Initial Release | Data Protection Officer |
| 1.1 | 13/09/2023 | Annual Review. | Data Protection Officer |
| 1.2 | 12/03/2024 | Annual Review. | Data Protection Officer |
| 1.3 | 30/04/2025 | Annual review. Added changelog. Added use of AI, GAN and similar systems. Added clarifications around VCare Group of companies. | Data Protection Officer |
| 1.4 | 10/07/2026 | Updated to reflect VCare Group, wider business coverage, data subject rights, complaints, AI, monitoring, lawful bases, international transfers, retention summary and alignment with employee and children and young people privacy notices. | Data Protection Officer with AI Assistance |
1. About this Privacy Policy
VCare Group respects your privacy and is committed to protecting personal data. This Privacy Policy explains how we collect, use, store, share and protect personal data across our organisation, including our care, education, secure transport, business support, training, corporate and website services.
This policy is intended for publication on our website and for use in contracts, tenders and service information. It applies to personal data processed in all VCare Group systems, records and services, whether held electronically, on paper, in backups, in email, in line-of-business systems, or through approved third-party systems used to deliver our services. It should be read alongside any more specific privacy notice that applies to you, including our Employee Privacy Notice and our Privacy Information for Children and Young People.
2. Legal Framework and Data Protection Principles
We process personal data in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018 and other applicable data protection, privacy, safeguarding, care, education, employment, health and social care, contractual and regulatory requirements.
When handling personal data, we follow the data protection principles of lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. This means we aim to be clear about how we use data, use it only for appropriate purposes, keep it accurate where required, protect it properly, retain it only for as long as needed, and maintain evidence of our compliance.
3. Who We Are and Our Data Protection Role
VCare Group may act as a data controller, joint controller or data processor depending on the service, contract or legal arrangement in place. Where we decide why and how personal data is used, we act as a controller. Where we share responsibility with another organisation, such as another group company, commissioner, school, local authority, NHS body, police force or partner, we may act as a joint controller. Where we process personal data only on documented instructions from another controller, we act as a processor.
4. VCare24, VCare Group and Group Companies
For the purposes of this Privacy Policy, “VCare Group” is used as a collective term for the group of related companies, services, divisions and trading names operated by the organisation. Your contract, service relationship, employment, referral, placement, enquiry or other interaction may be with a specific VCare Group company or trading name, such as VCare24, VCare Residential, VMDM, VCare Training Solutions, The Becklands School, Millbrook Horizons or another group company or trading name used by the organisation. That specific company will normally be responsible for the personal data it controls in relation to that service or relationship.
Where this Privacy Policy refers to VCare Group, it includes VCare24, VCare Residential, VMDM, VCare Training Solutions, The Becklands School, Millbrook Horizons and any other group company, service, division or trading name used by the organisation. VCare Group companies may act as data controllers, joint controllers or processors depending on the service, contract or legal arrangement in place. Personal data may be processed by or shared between VCare Group companies where this is necessary, lawful and proportionate for service delivery, care, education, secure transport, safeguarding, governance, finance, HR, IT, training, compliance, audit, contract management, legal obligations, business administration or group-wide support services. Each group company is responsible for ensuring that any personal data it controls is handled in line with UK data protection law and this Privacy Policy, unless a separate privacy notice or contract explains otherwise.
5. Who This Policy Applies To
This policy applies to personal data about people who interact with VCare Group or whose information is processed through our services. This may include children and young people, pupils and students, service users, patients, families, carers, parents, guardians, advocates, commissioners, local authority staff, NHS staff, police and emergency service contacts, visitors, website users, suppliers, contractors, job applicants, employees, workers, volunteers, governors, directors, professional advisers and other business contacts.
6. Personal Data We Collect
The personal data we collect depends on the service or relationship involved. It may include names, addresses, dates of birth, contact details, emergency contacts, next of kin details, identifiers, photographs, signatures, account details, recruitment and employment information, right to work information, payroll, tax, National Insurance, pension, benefits, expenses and bank account information, education records, attendance information, care records, referral information, transport booking information, location and journey details, safeguarding information, incident reports, risk assessments, complaints, enquiries, financial records, website and cookie data, device and system information, audit logs, access records, CCTV, access control, telephone, email, internet, vehicle, premises and other security or monitoring records where used, and correspondence by email, post, telephone or other approved channels.
Some of the information we process is more sensitive and receives additional protection. This may include health information, disability information, medication and care needs, safeguarding information, behavioural information, risk information, equality monitoring information, ethnicity, religious or philosophical beliefs where relevant, trade union information where relevant to employment, information about reasonable adjustments or occupational health, professional registration information, DBS checks, barred list checks, and information relating to criminal offences, allegations, convictions or safeguarding risks. We only process this information where it is necessary, lawful and proportionate.
7. Where We Collect Data From
We may collect personal data directly from you, from someone acting on your behalf, from a parent, guardian, carer or advocate, from commissioners, local authorities, NHS organisations, police forces, schools, colleges, safeguarding partners, courts, employment agencies, background check providers, occupational health providers, professional bodies, professional advisers, regulators, suppliers, contractors, group companies, public sources, website forms, cookies and analytics tools, internal systems, TUPE or business transfer processes, and from the systems and records we use to provide and manage our services.
Where we receive information from another organisation, that organisation may also provide its own privacy information. We also provide more specific privacy notices for particular groups, including employees, workers, contractors, volunteers, job applicants, children and young people. Those notices explain how this global policy applies in more detail to the relevant group and should be read alongside this policy.
8. Systems and Records Covered by This Policy
This policy covers personal data processed in all systems and records used by VCare Group and relevant group operations. This includes, where applicable, care records, education and school records, secure transport systems, booking systems, HR and payroll systems, pension and benefits systems, recruitment and onboarding systems, finance systems, business systems, IT service management systems, backup and disaster recovery systems, reporting and analytics tools, safeguarding and incident records, CCTV and access control systems, telephony systems, vehicle and premises records, website platforms, forms, databases, paper files, scanned documents, archives and approved third-party platforms.
Personal data may also appear in audit logs, metadata, system monitoring, security alerts, backups, email threads, tickets, reports, meeting records, call notes, correspondence and business intelligence reporting. We manage these records under our data protection, information security, access control, retention, incident management and supplier management arrangements.
9. How We Use Personal Data
We use personal data to provide, manage, improve and protect our services. This includes delivering care and support, operating schools and education services, arranging and providing secure transport, managing referrals and placements, supporting safeguarding and welfare, managing risk, responding to incidents, communicating with individuals and professionals, managing contracts, processing payments, meeting employment and engagement obligations, administering recruitment, onboarding, payroll, pensions, benefits, expenses, annual leave, absence, training, supervision, appraisals, performance, conduct, grievance and disciplinary processes, operating IT and business support services, maintaining records, reporting to commissioners and regulators, complying with legal duties, responding to rights requests, managing complaints, preventing fraud or misuse, maintaining security, investigating concerns and improving service quality.
10. If You Do Not Provide Personal Data
In some situations, we need certain personal data to provide a service, consider a referral, arrange care, education or secure transport, process an enquiry, manage a contract, meet employment or recruitment obligations, comply with legal duties or keep people safe. If required information is not provided, we may be unable to provide the relevant service, progress an application, enter into or manage a contract, meet statutory requirements or respond fully to a request.
11. Care, Education, Secure Transport and Business Services
Across our care, education, secure transport and business services, we may process personal data to meet contractual, professional, safeguarding, operational and legal requirements. In residential care and support services this may include referrals, placement records, care planning, safeguarding, health, medication, risk, behaviour, incident and family contact information. In schools and education services this may include pupil or student records, admissions, attendance, safeguarding, welfare, education support, behaviour, medical and dietary information, parental or carer contact details and statutory reporting. In secure transport this may include booking information, collection and destination details, risk assessments, journey notes, health or support needs, incident information and professional contacts. In business services this may include HR, finance, IT, facilities, governance, compliance, legal, training, audit and supplier records.
12. Lawful Bases for Processing
We only process personal data where we have a lawful basis under UK data protection law. Depending on the purpose, we may rely on contract, legal obligation, vital interests, public task, legitimate interests or consent. Consent is only used where it is appropriate and where a genuine choice is available. In employment and similar working relationships, consent will not usually be relied on for core processing because of the imbalance between VCare Group and the individual. Where we rely on consent, you may withdraw it at any time, although this will not affect processing already carried out before withdrawal and we may continue to process information where another lawful basis applies.
Where we process special category data, we also identify an Article 9 condition, such as provision of health or social care, safeguarding children and individuals at risk, employment, social security and social protection law, substantial public interest, equal opportunities monitoring, assessment of working capacity, occupational health, legal claims, vital interests or explicit consent where appropriate. Where we process criminal offence data, including DBS checks, barred list checks, offences, allegations or safeguarding checks, we do so only where authorised by law and subject to appropriate safeguards.
13. Legitimate Interests
Where we rely on legitimate interests, we consider whether our interests are necessary, lawful and balanced against your rights, freedoms and reasonable expectations. Legitimate interests may include managing and improving our services, maintaining security, preventing fraud or misuse, managing contracts and business relationships, responding to enquiries, protecting legal rights, supporting governance and audit, operating group-wide administration, and ensuring business continuity.
14. Who We Share Personal Data With
We may share personal data where this is necessary, lawful and proportionate. This may include sharing with local authorities, NHS bodies, police and emergency services, schools and education partners, safeguarding partners, regulators, Ofsted, CQC, courts, solicitors, insurers, auditors, professional advisers, commissioners, contract managers, families, carers or representatives where lawful and appropriate, group companies, payroll providers, pension providers, benefit providers, occupational health providers, background check providers, recruitment agencies, IT support providers, cloud service providers, hosting providers, backup providers, finance providers, training providers, contractors, agents and other organisations that support the delivery, management or protection of our services.
We do not sell personal data. Where we use suppliers or processors, we require appropriate contractual, technical and organisational safeguards. Where personal data is shared within VCare Group, this is done for legitimate administrative, operational, governance, safeguarding, compliance or service delivery purposes and subject to appropriate controls.
15. Security and Access Controls
We use appropriate technical and organisational measures to protect personal data from unauthorised access, loss, misuse, alteration or disclosure. These measures may include access controls, role-based permissions, authentication, staff training, confidentiality obligations, secure storage, encryption where appropriate, backups, audit logging, monitoring, supplier due diligence, incident management, physical security and regular review of our information security arrangements.
Access to personal data is limited to people who need it for their role or service. Staff and suppliers are expected to follow our data protection, information security, acceptable use, access control, retention, breach management, physical security and related policies.
VCare Group may monitor the use of its systems, devices, accounts, networks, vehicles, premises, telephone systems, email, internet access and business applications where this is necessary and proportionate for security, safeguarding, regulatory compliance, service quality, incident investigation, fraud prevention, health and safety, audit or business continuity purposes. Monitoring will be carried out in line with relevant policies and individuals will be informed where monitoring is in place unless exceptional circumstances apply, such as where informing individuals would prejudice the prevention or detection of serious wrongdoing.
16. International Transfers
VCare Group is based in the United Kingdom. Some systems, suppliers or support services may process personal data outside the United Kingdom where this is necessary for service delivery, hosting, support, security or business continuity. Where personal data is transferred internationally, we ensure that appropriate safeguards are in place, such as UK adequacy regulations, the International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or other lawful transfer mechanisms.
Suppliers that process personal data for us must follow our instructions, protect personal data appropriately and meet relevant contractual and legal requirements.
17. Cookies and Website Data
Our website may use cookies and similar technologies to make the website work, improve functionality, understand how visitors use the site and support security and performance. Cookies may collect information such as device information, browser type, operating system, IP address, pages visited and interaction with the website. Where non-essential cookies or similar technologies are used, we will provide appropriate information and choices through our website cookie banner, cookie settings or a separate Cookie Policy. You can also manage cookies through your browser settings, although some website features may not work properly if cookies are disabled.
18. Retention and Disposal
We keep personal data only for as long as necessary for the purpose it was collected, including to provide services, meet legal and regulatory duties, resolve disputes, maintain audit trails, manage safeguarding responsibilities, support business continuity, respond to rights requests, comply with insurance or contractual requirements, defend legal claims and enforce agreements. Retention periods vary depending on the type of record, service area and legal requirement. Detailed retention periods are managed through our internal records retention arrangements and related policies. Records may be retained for longer where there is a legal hold, safeguarding matter, statutory inquiry, investigation, audit, complaint, litigation risk, subject access request or another overriding reason to retain them.
19. Anonymised and Aggregated Data
Where appropriate, we may anonymise or aggregate information so that it no longer identifies individuals. We may use anonymised or aggregated information for reporting, audit, service improvement, business planning, quality assurance, safeguarding oversight, contract monitoring, performance analysis and research or statistical purposes. Where information has been properly anonymised, it is no longer personal data.
20. AI, Automation and Approved Digital Tools
VCare Group may use approved artificial intelligence, generative AI, automation, algorithmic or similar tools to support staff with workload management, administration, quality assurance, information security, customer service, business operations, document preparation, analysis and service improvement. We assess these tools before use and apply appropriate controls, including data protection impact assessments where required.
Our staff must not enter personal data into unapproved systems. We recognise the risks associated with AI and similar systems, including inaccurate outputs, bias, inappropriate disclosure, hallucinated information and security concerns. AI and automation tools are not used to make solely automated decisions that have legal or similarly significant effects unless this is specifically notified, subject to meaningful human review, supported by appropriate safeguards and lawfully permitted. Where such processing applies, we will provide specific information about the decision-making involved, the significance of the processing and the rights available to affected individuals. Outputs from AI or automation must be reviewed by an appropriate person before being relied upon. Use of these tools is governed by our AI, data protection, information security and acceptable use requirements.
21. Data Subject Rights and Complaints
Under UK data protection law, you have rights in relation to your personal data. Depending on the circumstances and the lawful basis used, these may include the right to access your personal data, ask for inaccurate or incomplete data to be corrected, ask for personal data to be erased, ask us to restrict processing, object to processing, request data portability, withdraw consent where consent is used, and ask us not to make decisions based solely on automated processing where this applies.
You can exercise your rights by contacting the Data Protection Officer using the contact details in this policy. We may need to ask for information to confirm your identity and ensure that personal data is not disclosed to someone who is not entitled to receive it. We will respond to requests within the timescales required by law and will explain our decision if a right does not apply or if we cannot fully comply with a request.
These rights are not absolute and may not apply in every situation. For example, we may need to retain or continue using information to meet legal duties, safeguard children or individuals at risk, provide care, education, secure transport or other services, manage employment or engagement obligations, respond to regulators, maintain audit trails, investigate concerns, comply with insurance or contractual requirements, or defend legal claims. Where this applies, we will explain the reason as clearly as we can.
No fee is usually required to access your personal data or exercise your rights. However, where a request is clearly unfounded, excessive or repeated, we may charge a reasonable fee or refuse to comply where the law allows us to do so.
If you are unhappy with how we collect, use, store, share, retain or protect your personal data, please contact the Data Protection Officer so that we can investigate and respond to your concerns. We will handle privacy complaints fairly, promptly and in line with our data protection, complaints and incident management arrangements.
You also have the right to complain to the Information Commissioner’s Office, which is the UK regulator for data protection. The ICO may expect you to raise your concern with us first before it considers your complaint. You can contact the ICO through its website at www.ico.org.uk or by telephone on 0303 123 1113.
22. Other Privacy Notices and Policies
This public policy is supported by more detailed privacy notices and internal policies. These may include employee privacy notices, children and young people privacy notices, service-specific notices, data protection policies, information security policies, acceptable use policies, access control policies, records retention arrangements, data breach procedures, subject access procedures, safeguarding policies, CCTV or physical security policies, AI policies and supplier management arrangements. Where a more specific notice applies to a particular group or service, it should be read alongside this global policy. If there is any difference in wording, the more specific notice will provide the additional detail for that group or service, while this policy continues to explain VCare Group’s overall approach across all activities.
23. Changes to This Policy
We review this Privacy Policy regularly and may update it from time to time. Updated versions will take effect when published unless otherwise stated. Where a change materially affects how we use personal data, we will take reasonable steps to make people aware of the change where required.
24. How to Contact VCare Group
If you have any questions about this Privacy Policy, how we use personal data, or if you want to exercise your data protection rights, please contact our Data Protection Officer using the details below.
Please write to:
VCare Group
Unit 10, Halifax Way
Pocklington Industrial Estate
YO42 1NP
If you are unhappy with how we have handled your personal data, you can contact the Data Protection Officer so that we can investigate and respond. You also have the right to complain to the Information Commissioner’s Office, which is the UK regulator for data protection. The ICO may expect you to raise your concern with us first before it considers your complaint.