Individuals who we hold personal data about, known as ‘Data Subjects’, have a legal right and an expectation to be informed about how we process their personal information, for what purpose, for how long and what their rights are in connection with this processing. Data Controllers, such as Outcomes First 1 Limited and its subsidiaries, which are referred to by its trading name Outcomes First Group in this document, process personal data, provide Data Subjects with a Privacy Notice to explain how we collect, store and process their personal data in accordance with data protection laws. It is important that you read this notice carefully.
Please note that for data protection purposes, ‘Processing’ means collection, recording, organising, structuring or storing, adapting or altering, retrieving, consulting or use, disclosing by transmission, disseminating or otherwise making available, aligning or combining, or restricting, erasing or destroying personal data.
This Privacy Notice covers, but is not limited to, our people we support and educate, commissioners, stakeholders and staff, including applicants.
The organisation’s Data Protection Policy supplements this privacy notice and outlines our general policy on data protection matters.
WHY YOUR PERSONAL DATA IS IMPORTANT TO US
Your personal data is important to us as it enables us to realise our mission of improving the lives of young people, adults, their families and communities. It enables us recruit staff and carers, comply with our legal obligations, and to ensure that the young people and adults who are supported by schools or residential homes are well matched, and that they and our staff are closely supported to create a safe, nurturing space in which they can realise their full potential. Your personal data provides the insight to make that possible.
YOUR PERSONAL INFORMATION – WHAT WE HOLD AND HOW WE MANAGE DATA
We obtain personal data from numerous sources, which vary according to categories of Data Subjects and types of personal information ,including special categories of personal data and criminal convictions etc.. We will treat any personal data by which you can be identified in accordance with the provisions of the United Kingdom General Data Protection Regulation and the Data Protection Act 2018.
The following links provide further detail on how we collect and manage data on staff, those we support and their families, including those at referral and application stages.
• Staff, including Agency Staff and Applicants
• People We Support and their Families
The following link provides more specific details on how we store and use website user data.
We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data, but is not deemed personal data in law as this data does not directly or indirectly reveal your identity.
OUR LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA
We only collect and use personal information about you when the Law permits it, for example (but not limited to):
• To fulfil a contract we have entered into with you or to take steps at your request before entering into a contract
• To comply with a legal or regulatory obligation
• Where we, or a third party, have a legitimate interest in processing your information
• To carry out a task or exercise a duty in the public interest
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own.
Less commonly, we may also use personal information about you where:
• You have given us consent to use it in a certain way
• We need to protect your vital interests (or someone else’s interests)
Some of the reasons listed above for collecting and using personal information about you overlap and there may be several grounds that justify our use of your data.
Consent: While the majority of information we collect from you is mandatory, there is some information that you can choose whether or not to provide to us. Whenever we seek to collect information from you (or your agency), we make it clear whether you must provide this information (and if so, what the possible consequences are of not complying), or whether you have a choice. Where you have provided us with consent to use your data, you may withdraw this consent at any time. We will make this clear when requesting your consent and we will explain how you can withdraw consent easily if you wish to do so.
STORING, ACCESSING AND SHARING YOUR PERSONAL INFORMATION
Your personal data will be accessed on a ‘need to know’ basis. Any internal use of your data will be limited to those who are involved with working with you or need to have access to your information to work on your behalf, your matter etc. Any inappropriate use or access of personal data by our staff is regarded as a strict matter and may result in a disciplinary investigation being commenced.
Any information sharing with other stakeholders will be conducted with your privacy at the forefront of our considerations, with the Outcomes First Group ensuring that any relevant sharing is in accordance with the United Kingdom General Data Protection Regulation and the Data Protection Act 2018 or the common law duty of confidence where applicable. Our staff receive data protection training and we have data protection policies and procedures in place for all staff to follow.
Personal data held by us electronically is stored on secure computer systems and we control who has access to them. Where we use external companies to collect or process personal data on our behalf, we undertake checks on these companies before we work with them, and establish an agreement setting out our expectations and requirements, especially regarding how they manage the personal data they process on our behalf. We endeavour to ensure our suppliers do not transfer your personal data outside of regions that do not have adequate data protection law by putting permissible legal mechanisms in place.
Transferring Data Internationally
Under data protection law, we will only transfer personal data to a country or territory outside the United Kingdom, where:
• the UK government has decided the particular country or international organisation ensures an adequate level of protection of personal data (known as an ‘adequacy decision’);
• there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or
• a specific exception applies under data protection law.
If you would like further information about data transferred outside the UK, please contact the Data Protection Team (see below, Contact Us).
YOUR DATA PROTECTION RIGHTS
How to access personal information we hold about you
Individuals have a right to make a ‘subject access request’ to gain access to personal information that the company or service holds about them. A request can be made in any format, verbally or in writing, to your local service or to the Data Protection Team at email@example.com.
If you are considering a request, please make it is as clear, concise and specific as possible as this will allow us to locate the information you are seeking as quickly as we can. Please note that the right of access is not absolute and there may be occasions whereby your data may not be supplied as it is covered by an exemption.
You may also have the right for your personal information to be transmitted electronically to another organisation in certain circumstances.
Your other rights regarding your data
Subject to certain exceptions, you have the right to:
• Object to the use of your personal data if it would cause, or is causing, damage or distress
• Prevent your data being used to send direct marketing
• Object to the use of your personal data for decisions being taken by automated means (by a computer or machine, rather than by a person)
• Receive your personal data in a structured, commonly used and machine-readable format
• In certain circumstances, have inaccurate personal data corrected, deleted or destroyed, or restrict processing
• Restrict the processing of your personal information for certain purposes
• Claim compensation for damages caused by a breach of our legal and compliance obligations in respect of your data
To exercise any of these rights, please contact your local service or the Data Protection Team (see below, Contact Us).
Information relating to these rights, and rights in relation to automated decision making and profiling, can be found on the ICO’s website
Please note that where a subject access request is considered to be excessive, then we reserve the right to charge for our costs in complying with the request based on the Information Commissioner’s guidance prevailing at the time the request is received.
HOW TO RAISE A CONCERN
We take any complaints about our collection and use of personal information very seriously. If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.
To make a complaint, please contact your local service manager or the Data Protection Team, who will liaise with the Data Protection Officer. If you remain dissatisfied, you can make a complaint to the Information Commissioner’s Office:
• Website: https://ico.org.uk/concerns
• Phone: 0303 123 1113
• Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
DATA PROTECTION OFFICER AND ICO REGISTRATION
The Data Protection Officer on behalf of Outcomes First Group is Christopher Duffy, who can be contacted at firstname.lastname@example.org.
The Data Protection (Charges and Information) Regulations 2018 require every organisation that processes personal information to pay a data protection fee to the Information Commissioner’s Office (ICO), unless they are exempt. Outcomes First Group companies are registered with the ICO for this purpose and details of our registrations are referred to in the Article 30 Statement of Processing Activities. Current registrations can also be checked on the ICO’s website at any time here.
If you have any questions, concerns or would like more information about anything covered in this Privacy Notice, please contact our Data Protection Team by email at email@example.com or by phone on 01789 767800 (Option 6).
Updated: February 2021
Owner: Data Protection Officer
We may need to update this Privacy Notice periodically and reserve the right to do so without giving notice, so we recommend that you revisit this information from time to time.