Far too many young people continue to be drawn into areas of violence, exploitation, and county lines. Let’s draw the line, together. Learn more.

Dismiss close

Eye Accessibility Tools
Search
Search
Menu Close
Home / Resources / Catch22 College: Consent policy

Post-16

Catch22 College: Consent policy

23 July 2025

Two students smile as they work together at a computer. They are sat in a library and other computers can be seen in a row. One is sat in a chair, and the other is leaning over pointing to something on the screen. Overlaid is text that reads: "Catch22 College".

Catch22 reserves the right to amend this policy, following consultation, where appropriate.

Date of last review: July 2025

Date of next review: February 2026

What is the policy about?

This policy explains how Catch22 College collects, processes, and manages personal data, ensuring compliance with the UK General Data Protection Regulation (UK GDPR). It details the types of data collected, how it’s used, and the rights students have regarding their data. The policy aims to protect students’ privacy while ensuring that necessary information is shared for educational, welfare, and legal purposes.

Who does this policy apply to?

This policy applies to all students attending Catch22 College. It also applies to staff, contractors, volunteers, and third-party service providers who manage or have access to student data. The policy covers all personal and sensitive data collected, processed, and stored by Catch22 College.

Policy requirements

Data collection and consent

Catch22 colleges will collect personal data transparently and lawfully. One of our legal bases for processing this personal data is the use of consent (explicit consent where special category data). Consent forms will clearly state the data controller, purpose of data processing, type of data being collected, any sharing of data with third parties, and the right to withdraw.

  • Action: Consent will be requested at the start of the academic year (or at the point of students expression at interest), and the forms will outline data collection purposes and sharing practices.
  • Responsible: The Data Protection Officer (DPO) will provide guidance to the college on how to maintain compliance, with all college and governance staff ensuring compliance with documented policies and processes.

Data usage

Personal data will be used to support student learning, monitor attendance, provide healthcare, and meet legal obligations. Data will only be processed for these specific purposes.

  • Action: Data will be used for academic support, student welfare, and legal compliance.
  • Responsible: All managers and staff will ensure data is used appropriately with the Head of Operations – Learning & Skills reviewing the school’s Record of Processing Activity annually and the DPO guiding on any identified areas of non-compliance.

Data security

Catch22 College will secure student data by limiting access to authorised personnel on a model of least privilege and storing data in protected systems.

  • Action: Personal data will be stored securely in approved systems and locked filing cabinets.
  • Responsible: IT and all departmental staff will maintain security, school staff will ensure they follow Catch22’s policies (including Information Security, Data Protection, and IT), and controls will be externally audited annually.

Data sharing

Data will be shared only when legally required or for student support purposes. All sharing will comply with the UK GDPR and DPA 2018.

  • Action: Data will be shared with authorized external bodies such as schools or social services, only when necessary.
  • Responsible: Managers will oversee compliance and where there is no agreement in place, will request assistance from the DPO. The DPO will guide Managers on which type of agreement is most appropriate for the data sharing and guide the managers through the build of the agreement. The Managers will ensure all signed agreements are provided to the DPO for storing in the central document repository. Managers will also ensure that any new sharing is added to the Record of Processing Activity if not already covered by the existing entry.

Data retention and disposal

Catch22 College will retain personal data for the legally required duration and dispose of it securely once no longer needed.

  • Action: Data retention will follow legal and contractual requirements, with secure disposal once it’s no longer needed.
  • Responsible: The DPO will provide guidance regarding data retention timelines where staff require assistance. Managers will ensure that the retention timings on the college’s Record of Processing Activity entry is accurate during both annual reviews or when a change to retention timings is identified. Staff will follow disposal procedures when data meets the retention timelines.

Right to withdraw consent

Students can withdraw consent for data processing at any time. All data already processed only under consent will then be erased and ongoing processing halted. Data processed under consent and another legal basis such as Legal Obligation or Legitimate Interests may then still be processed as required.

  • Action: Withdrawal of consent will be promptly recorded, and data processing for that purpose will cease.
  • Responsible: Staff will make the DPO aware of any consent withdrawal requests. The DPO will guide staff on the next steps and log the withdrawal request. Staff will ensure records are updated and information is erased as required.

Transparency and communication

Catch22 College will ensure students are informed about how their data is used and shared, providing access to the Privacy Policy.

  • Action: The Privacy Policy will be shared with students during enrolment and updated as needed.
  • Responsible: The staff team will maintain and distribute the Privacy Policy within enrolment forms and among staff, with managers ensuring students are informed.

Definitions

  • Personal Data: Any information relating to an identified or identifiable individual, such as name, address, or contact details. All data described as Personal Data under UK GDPR Article 4(1).
  • Special Category Data: Sensitive data, such as ethnicity, medical information, and special educational needs (SEN) data. All data described in UK GDPR Article 9(1).
  • Data Processing: Any operation performed on personal data, including collection, storage, use, and sharing.
  • Consent: A freely given, specific, informed, and unambiguous indication of the individual’s wishes by which they, by a statement or a clear affirmative action, signify agreement to the processing of their personal data.

Related policies

  • Privacy Policy: This outlines how Catch22 College collects and processes personal data.
  • Suite of Data Protection Policies: These policy detail our approach to Data Protection ensuring compliance with UK GDPR, DPA 2018, and PECR 2003.
  • Suite of Data Protection Policies: Details Catch22’s approach to maintaining the confidentiality, integrity, and availability of data
  • Retention Policy: Specifies how long personal data is retained and the process for its secure disposal.

Related links and downloads

Download a copy of this policy