Privacy Policy

Individuals who we hold personal data about, known as ‘Data Subjects’, have a legal right and an expectation to be informed about how we process their personal information, for what purpose, for how long and what their rights are in connection with this processing. Data Controllers, such as Outcomes First 1 Limited and its subsidiaries, which are referred to by its trading name Outcomes First Group in this document, process personal data, provide Data Subjects with a Privacy Notice to explain how we collect, store and process their personal data in accordance with data protection laws. It is important that you read this notice carefully.

Please note that for data protection purposes, ‘Processing’ means collection, recording, organising, structuring or storing, adapting or altering, retrieving, consulting or use, disclosing by transmission, disseminating or otherwise making available, aligning or combining, or restricting, erasing or destroying personal data.

This Privacy Notice covers but is not limited to the people we support and educate, commissioners, stakeholders and staff, including applicants.

The organisation’s Data Protection Policy supplements this privacy notice and outlines our general policy on data protection matters.

WHY YOUR PERSONAL DATA IS IMPORTANT TO US

Your personal data is important to us as it enables us to realise our mission of improving the lives of young people, adults, their families and communities. It enables us recruit staff and Careers, comply with our legal obligations, and to ensure that the young people and adults who are supported by our schools or residential homes are well matched, and that they and our staff are closely supported to create a safe, nurturing space in which they can realise their full potential. Your personal data provides the insight to make that possible.

YOUR PERSONAL INFORMATION – WHAT WE HOLD AND HOW WE MANAGE DATA

We obtain personal data from numerous sources, which vary according to categories of Data Subjects and types of personal information, including special categories of personal data and criminal convictions etc. We will treat any personal data by which you can be identified in accordance with the provisions of the United Kingdom General Data Protection Regulation and the Data Protection Act 2018.

The following sections provide further detail on how we collect and manage data on staff, those we support and their families.

Staff, including Agency Staff and Applicants
People We Support and their Families

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data, but is not deemed personal data in law as this data does not directly or indirectly reveal your identity.

OUR LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA

We only collect and use personal information about you when the Law permits it, for example (but not limited to):

To fulfil a contract we have entered into with you or to take steps at your request before entering into a contract
To comply with a legal or regulatory obligation
Where we, or a third party, have a legitimate interest in processing your information
To carry out a task or exercise a duty in the public interest

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own.

Less commonly, we may also use personal information about you where:

You have given us consent to use it in a certain way
We need to protect your vital interests (or someone else’s interests)

Some of the reasons listed above for collecting and using personal information about you overlap and there may be several grounds that justify our use of your data.

Consent: While the majority of information we collect from you is mandatory, there is some information that you can choose whether or not to provide to us. Whenever we seek to collect information from you (or your agency), we make it clear whether you must provide this information (and if so, what the possible consequences are of not complying), or whether you have a choice. Where you have provided us with consent to use your data, you may withdraw this consent at any time. We will make this clear when requesting your consent and we will explain how you can withdraw consent easily if you wish to do so.

STORING, ACCESSING AND SHARING YOUR PERSONAL INFORMATION

Your personal data will be accessed on a ‘need to know’ basis. Any internal use of your data will be limited to those who are involved with working with you or need to have access to your information to work on your behalf, your matter etc. Any inappropriate use or access of personal data by our staff is regarded as a strict matter and may result in a disciplinary investigation being commenced.

Any information sharing with other stakeholders will be conducted with your privacy at the forefront of our considerations, with the Outcomes First Group ensuring that any relevant sharing is in accordance with the United Kingdom General Data Protection Regulation and the Data Protection Act 2018 or the common law duty of confidence where applicable. Our staff receive data protection training and we have data protection policies and procedures in place for all staff to follow.

Personal data held by us electronically is stored on secure computer systems and we control who has access to them. Where we use external companies to collect or process personal data on our behalf, we undertake checks on these companies before we work with them, and establish an agreement setting out our expectations and requirements, especially regarding how they manage the personal data they process on our behalf. We endeavour to ensure our suppliers do not transfer your personal data outside of regions that do not have adequate data protection law by putting permissible legal mechanisms in place.

Transferring Data Internationally

Under data protection law, we will only transfer personal data to a country or territory outside the United Kingdom, where:

the UK government has decided the particular country or international organisation ensures an adequate level of protection of personal data (known as an ‘adequacy decision’);
there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or
a specific exception applies under data protection law.

If you would like further information about data transferred outside the UK, please contact the Data Protection Team (see below, Contact Us).

YOUR DATA PROTECTION RIGHTS

How to access personal information we hold about you Individuals have a right to make a ‘subject access request’ to gain access to personal information that the company or service holds about them. A request can be made in any format, verbally or in writing, to your local service or to the Data Protection Team at [email protected].

If you are considering a request, please make it is as clear, concise and specific as possible as this will allow us to locate the information you are seeking as quickly as we can. Please note that the right of access is not absolute and there may be occasions whereby your data may not be supplied as it is covered by an exemption.

You may also have the right for your personal information to be transmitted electronically to another organisation in certain circumstances.

Your other rights regarding your data

Subject to certain exceptions, you have the right to:

Object to the use of your personal data if it would cause, or is causing, damage or distress
Prevent your data being used to send direct marketing
Object to the use of your personal data for decisions being taken by automated means (by a computer or machine, rather than by a person)
Receive your personal data in a structured, commonly used and machine-readable format
In certain circumstances, have inaccurate personal data corrected, deleted or destroyed, or restrict processing
Restrict the processing of your personal information for certain purposes
Claim compensation for damages caused by a breach of our legal and compliance obligations in respect of your data

To exercise any of these rights, please contact your local service or the Data Protection Team (see below, Contact Us).

Information relating to these rights, and rights in relation to automated decision making and profiling, can be found on the ICO’s website

Please note that where a subject access request is considered to be excessive, then we reserve the right to charge for our costs in complying with the request based on the Information Commissioner’s guidance prevailing at the time the request is received.

HOW TO RAISE A CONCERN

We take any complaints about our collection and use of personal information very seriously. If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.

To make a complaint, please contact your local service manager or the Data Protection Team, who will liaise with the Data Protection Officer. If you remain dissatisfied, you can make a complaint to the Information Commissioner’s Office:

Website: https://ico.org.uk/concerns
Phone: 0303 123 1113
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

DATA PROTECTION OFFICER AND ICO REGISTRATION

The Data Protection Officer on behalf of Outcomes First Group is Kevin McBride, who can be contacted at [email protected].

The Data Protection (Charges and Information) Regulations 2018 require every organisation that processes personal information to pay a data protection fee to the Information Commissioner’s Office (ICO), unless they are exempt. Outcomes First Group companies are registered with the ICO for this purpose and details of our registrations are referred to in our Article 30 Statement of Processing Activities. Current registrations can also be checked on the ICO’s website at any time here.

CONTACT US

If you have any questions, concerns or would like more information about anything covered in this Privacy Notice, please contact our Data Protection Team by email at [email protected].

OUTCOMES FIRST GROUP – PRIVACY NOTICE

PERSONAL DATA BELONGING TO EMPLOYEES, INCL. APPLICANTS, BANK AND AGENCY STAFF

This document is an addendum to the Outcomes First Group Privacy Notice, providing further details on the processing of data belonging to our employees, including bank and agency staff, as well as those going through the employment application process.

The personal data we process

Personal data that we may collect, use, store and share (when appropriate) about you includes, but is not restricted to:

*Contact details
*Date of birth, marital status and gender
Next of kin and emergency contact numbers
Salary, annual leave, pension and benefits information
Information from your Disclosure and Barring Service (DBS) or Disclosure Scotland checks including any information regarding criminal convictions
Bank account details, payroll records, National Insurance Number and tax status information
*Recruitment information, including copies of ID, right to work documentation, references and other information included in a CV or cover letter or as part of the application process
*Qualifications and employment records, including work history, job titles, working hours, training records and professional memberships
Performance information
Outcomes of any disciplinary and/or grievance procedures
Absence data
Logbooks (and any electronic versions) at any of our sites when signing in
Copy of driving licence
Photographs
CCTV footage and key fob monitoring
Data about your use of the service’s information and communications system
Any data transferred to us under TUPE Regulations.
Vehicle telematics
Employment perquisites and benefits
Arranging travel bookings and accommodation

We may also collect, store and use information about you that falls into ‘special categories’ of more sensitive personal data. This includes information about (where applicable):

Race, ethnicity, religious beliefs, sexual orientation and political opinions
Trade union membership
Physical and mental health, including any medical conditions, and sickness records
Criminal convictions and DBS referrals

Applicants (*)

We obtain and hold applicant data as part of the recruitment process (see *items listed above), as required by Safer Recruitment best practice and in accordance with this Privacy Notice. Personal data belonging to unsuccessful applicants will be held in accordance with the period set out in our personal data retention schedule. For successful candidates, the on boarding process will ensure the remaining records are completed as per our employer obligations and will be processed in accordance with the minimum period set out in our personal data retention schedule.

Agency Staff

Agency staff are employed by their agency company, who are also Data Controllers in their own right concerning the handling of personal data belonging to staff connected with their agency. As a joint Data Controller, however, Outcomes First Group will require certain documentation to be shared by the agency or agency staff member for safeguarding reasons and to ensure that we have the data and documents required to be satisfied of the various statutory regulations to which we are subject.

Why we use this data

The purpose of processing employee data is to help us run our services and comply with our legal obligations in doing so, which includes to:

Enable staff and contractors to be paid
Facilitate safe recruitment, as part of our safeguarding obligations towards the people we support
Support effective performance management
Inform our recruitment and retention policies
Allow better financial modelling and planning
Enable equalities monitoring
Improve the management of workforce data across the sector
Support the work of the regulatory bodies and professional associations
Process insurance claims
Comply with our legal obligations
To safeguard children and vulnerable adults
To bring or defend legal proceedings
To support law enforcement when required to do so
To obtain or permit others to obtain legal advice
To assist with travel bookings and accommodations

For certain roles, we have a legal requirement to undertake Disclosure and Barring Service checks (DBS, England and Wales) or a Disclosure Scotland check. Where we do so, we only do so in accordance with our legal requirements, as updated from time to time. We comply fully with the DBS Code of Practice regarding the correct handling, use, storage, retention and disposal of certificates and certificate information. In accordance with insurance requirements, DBS certificate numbers will be retained for 50 years.

Our lawful basis for using this data

We only collect and use personal information about you when the Law permits it.
Most commonly, we use it:

To fulfil a contract we have entered into with you or to take steps at your request before entering into a contract
To comply with legal or regulatory obligations
Where we, or a third party have a legitimate interest in processing your information
To carry out a task in the public interest

Less commonly, we may also use personal information about you where:

You have given us consent to use it in a certain way
We need to protect your vital interests (or someone else’s interests)

Where you have provided us with consent to use your data, you may withdraw this consent at any time. We will make this clear when requesting your consent and we will explain how you can withdraw consent easily if you wish to do so.

Some of the reasons listed above for collecting and using personal information about you overlap and there may be several grounds that justify the company’s use of your data.

Collecting this information

While the majority of the information we collect from you is mandatory, there is some information that you can choose whether or not to provide to us.

Whenever we seek to collect information from you (or your agency), we make it clear whether you must provide this information (and if so, what the possible consequences are of not complying), or whether you have a choice.

How we store this data

Personal data is stored in line with our Data Retention & Disposal Policy and Schedule, which is available to all staff as part of the policy library. We create and maintain an employment file for each employee on Cascade (online, secured staff portal) or Reach (recruitment system for applicants). The information contained on these systems is secure and is only used for purposes directly relevant to recruitment and employment. Services have separate arrangements for securely holding selected data on agency staff as the majority of personal information remains stored by the agency as the employer.

Once your employment/contract with us has ended (or after 6-12 months for unsuccessful applicants), we will retain these records or delete information in accordance with our Data Retention & Disposal Policy and Schedule, which set out how long we keep information and refers to the guidance outlined by the relevant regulatory bodies and professional associations.

Data sharing

We do not share information about you with any third party without your consent or liaison with your agency (if applicable), unless the Law permits or requires us to do so. Where it is legally required, or necessary and it complies with data protection law, we may share personal information about staff with:

Local authorities – to meet our legal obligations to share certain information with it, such as safeguarding concerns
Regulators
Your family or representatives
Assessors and Examining Bodies
Suppliers and service providers – to enable them to provide the service we have contracted them for, such as payroll
Financial organisations
Central and local government, including Disclosure & Barring Service (DBS)
Our auditors
Survey and research organisations
Trade unions and associations
Health authorities
Security organisations
Health and social welfare organisations
Professional advisors and consultants
Our own and third party solicitors and legal advisors
Our insurance companies
Charities and voluntary organisations
Police forces, courts, tribunals
Professional bodies
Employment and recruitment agencies
New employer in accordance with Transfer of Undertakings (Protection of Employment) Regulations 2006 (SI 2006/246), only where applicable
Travel companies/agencies

Employment references

The company does not disclose any employment references received, under which it is under a duty of confidence towards the author, unless:

It has the author’s consent;
It is in the public interest to do so;
There is a legal obligation or Court Order, and then only to the extent of such legal obligation or Order.

If you require a copy of a reference that we have received, you should make a request directly to the referee in the first instance or, failing this, provide the company with the referee’s written consent to disclose the reference to you, seek a Court Order or otherwise cite the express legal authority upon which we are obliged to breach our duty of confidence by disclosing the reference.

OUTCOMES FIRST GROUP – PRIVACY NOTICE

PERSONAL DATA BELONGING TO PEOPLE WE SUPPORT, INCLUDING THOSE CURRENTLY IN THE REFERRAL AND ASSESSMENT PROCESS AND THEIR FAMILIES

This document is an addendum to the Outcomes First Group Privacy Notice, providing further details on the processing of data belonging to the people we support and their families/significant others.

We understand that the people we support communicate information in many different ways that has meaning to them. To this end, where necessary staff will support individuals to understand the information contained in this policy in appropriate ways to ensure that, as far as possible, each person who receives care or education from the group, understands the principles contained within this privacy policy, in a way that has meaning to them.

The personal data we process

We hold some personal information about you and, if applicable, your family members and significant others, to make sure we can help you learn and to look after you. For the same reasons, we get information about you from some other places too – like your family, other care providers, other schools, the local council, the NHS and the government.

This information includes, but is not limited to:

Your contact details
Information on your family/significant others
Your home/school records (where applicable)
Your characteristics, like your ethnic background or any special educational needs
Any medical conditions you have
Details of any behaviour issues or exclusions (where applicable)
Photographs
CCTV images (if used on our premises)

Why we process this data

We use this data to help support, care for you and educate you (depending up which services you receive from us), including, but not limited to:

Get in touch with you, and maybe your parents/carers, (as appropriate) when we need to
Look after your wellbeing
Check how you are doing at your home, school or college and work out whether you or those supporting you need any extra help
Track how well the service as a whole is performing
To undertake assessments and reviews
To comply with our legal obligations

Our legal basis for using this data

We will only process your personal information when the Law allows us or requires us to do so. Most often, we will use your information where:

We need to comply with the Law which includes the information we must process in accordance with legal obligations we must comply with when providing our services
We need to use it to carry out a task in the public interest (in order to safeguard you for example)
Sometimes, we may also use your personal information where:

You, or your parents/carers (as appropriate) have given us permission to use it in a certain way
We need to protect your interests (or someone else’s interest)
Where we, or a third party have a legitimate interest in processing your information
To carry out a task in the public interest
We have a legal obligation

Collecting this information

While in most cases you, or your parents/carers, or a local authority (as appropriate) must provide the personal information we nee, there are some occasions when you can choose whether to provide the data. We will always tell you if it is optional. If you must provide the data, we will explain what might happen if you refuse.

Where we have requested permission to use your data, you or your parents/carers, (as appropriate) may withdraw this at any time. We will make this clear when we ask for permission, and explain how to go about withdrawing consent.

How we store this data

We will keep personal information about you while you are at our service. We may also keep it after you have left, where we are required to by Law. We have a Data Retention & Disposal Policy, which sets out how long we must keep information about you and you can request a copy of this policy from the staff who support you.

Data sharing

We do not share personal information about you with anyone else without permission from you, or your parents/carers if necessary, unless the Law allows us to do so, for example with, but not limited to:

Local Authorities – to meet our legal duties to share certain information with it, such as concerns about your care, safety and school exclusions
The Regulator (a government department such as Ofsted, Estyn, The Care Quality Commission, Care Inspectorate Scotland or Care Inspectorate Wales)
Your family and representatives
Educators and examining bodies
Suppliers and service providers – so that they can provide the services for which we have contracted them
Financial organisations
Central and local government
Our auditors
Survey and research organisations
Health authorities
Security organisations
Health and social welfare organisations
Professional advisors and consultants
Our own and third party solicitors and legal advisors
Our insurance companies
Charities and voluntary organisations
Police forces, courts, tribunals
Professional bodies

Youth Support Services

Once you reach the age of 13, we are legally required to pass on certain information about you to the local authority as it has legal responsibilities regarding the education or training of 13-19 year-olds. This information enables it to provide youth support services, post-16 education and training services, and careers advisers. Your parents/carers, or you if you are aged 16 or over, can request that we only pass on your name, address and date of birth to the local authority.

National Pupil Database (if you are at school)

We are required to provide information about you to the Department for Education as part of statutory data collections such as the school census. Some of this information is then stored in the National Pupil Database (NPD), which is owned and managed by the Department and provides evidence on school performance to inform research. The database is held electronically so it can easily be turned into statistics. The information is securely collected from a range of sources including schools, local authorities and exam boards. The Department for Education may share information from the NPD with other organisations, which promote children’s education or wellbeing in England. Such organisations must agree to strict terms and conditions about how they will use the data. For more information, see the Department’s webpage on how it collects and shares research data. You can also contact the Department for Education with any further questions about the NPD.

Transitioning to a New Service

Once you have agreed to move on, we will share some of this information with your new home or school, so that they can assess if they can meet your needs. This will be undertaken with the consent of those who support you (e.g. parents/guardians, Social Worker, Local Education Authority).