BeyondAutism is committed to protecting and respecting the personal data that we hold. This privacy statement describes why and how we collect and use personal data and provides information about individuals’ rights. It applies to personal data provided to us, both by individuals themselves or by a third party acting on behalf of an individual. We may use personal data provided to us for the purposes described in this privacy statement or as made clear before collecting it.
Personal data is any information relating to an identified or identifiable living person. When collecting and using personal data, our policy is to be transparent about why and how we process that data. This can be for a number of purposes; the means of collection, lawful basis of processing, use, disclosure and retention for each purpose is set out in this policy.
Where we receive personal data that relates to an individual from a third party, we request that this third party inform the individual of the necessary information regarding the use of their data. Where necessary, reference can be made to this privacy statement.
We take the security of all the data we hold seriously. Staff are trained on data protection, confidentiality and security.
We have a framework of policies and procedures which ensure we regularly review the appropriateness of the measures we have in place to keep the data we hold secure.
All information you provide to us is stored on our secure servers.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted online. However, once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
3. Data that we hold
3.1 Our services
We provide services to individuals as well as organisations. The exact data held will depend on the service being provided. Where we engage with individuals, we may collect and process personal data in order to assess the needs of a child or young adult and their parent(s)/carer(s). We will only ask for personal data that is required for us to fulfil our contractual or operational obligation.
3.1.1. Why do we process this data?
Where data is collected for admissions into one of our services, it is used for a number of purposes, as follows;
Delivery of service:
- Admission – We may process your data if you have enquired about our services, have a son/daughter at one of our services, or if you are planning on sending your son/daughter to our services. If applying to attend a service, we may process your data and that of your son/daughter to assess your application, and if successful, to grant admission to our services. If your son/daughter is currently attending one of our services, we will process your data throughout the duration of their attendance, and to provide you appropriate support.
- Promotion of services – we may also process your data to offer you information, courses or other services we feel may be applicable to you.
Individual needs: When communicating with and assessing the needs of the individual and the parent(s)/carer(s), personal data may be processed in order to ensure that we are appropriately meeting their needs.
Administration: In order to manage and administer our business and services, we may collect and process personal data. This may include (but is not limited to) maintaining internal records of the individual and maintaining internal safeguarding processes.
Regulatory: For us to carry out our role, we may from time to time be required to collect and process personal data in order to fulfil regulatory, legal or ethical requirements. This may include (but is not limited to) the verification of identity of individuals.
3.1.2. What data is processed?
This is dependent on the service that is being provided and on the recipient of this service.
Services to customers: Individual’s names, date of birth, address, medical history, questionnaires, consent forms, unique pupil number, religion, ethnicity, siblings’ data.
Parent / Carer / Power of Attorney: Emergency contacts, names, legal guardians and power of attorneys, criminal cases, marital status, financial data, religion, ethnicity, and data captured from other third parties.
Local authorities: Names, email, contact details, job titles.
3.1.3. How long do we hold data for?
We retain the personal data processed by us for as long as is considered necessary for the purpose(s) for which it was collected. There may also be occasions which will require data to be kept for longer, however this will typically be for legal purposes. We will periodically review this data, to ensure that it is still relevant and necessary. For more information regarding legal requirements and how long data is kept for please see our Data Retention Policy.
In addition, personal data may be securely archived with restricted access and other appropriate safeguards where there is a need to continue to retain it. We will periodically review this data, to ensure that it is still relevant and necessary.
We collect and process personal data about those involved in our training – this includes parents, carers and professionals within the industry. The data is held to provide you with training, to manage the relationship, and to ensure your needs are fulfilled. We may also use this data to send you information on further training that we think maybe of interest to you. You can choose to opt out of these correspondence at any time.
3.2.1. Why do we process this data?
We have different services which you may have enquired about, are currently attending or previously attended. These include:
- Training: We provide ABA/VB training to parents and professionals on how to identify behavioural traits, alongside other behaviour-based training.
- Outreach: We work with parents/carers and professionals in other education settings to support children and young adults with autism.
We will collect and process your data for one of the following reasons:
Complying with any requirement of law: we are subject to legal, regulatory and professional obligations. We need to keep certain records to show we comply with those obligations and those records may contain personal data.
Administration: In order to manage and administer our business and these services, we may collect and process personal data.
3.2.2. What data do we hold?
We will hold names, email address, contact details, addresses, photos, and videos where consent has been given.
3.2.3. How long do we hold this data for?
We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). Data may be held for longer periods where required by law or regulation and in order to establish, exercise or defend our legal rights. We will periodically review this data, to ensure that it is still relevant and necessary.
3.3. Fundraising and marketing
We process personal data for fundraising and marketing purposes. We will only do this when we have your explicit consent, or we believe we have a legitimate purpose to do so.
3.3.1. Why do we process this data?
We have different ways we carry out fundraising and marketing. This can include:
- Receiving donations and raising awareness on how to donate to us
- Requesting Gift Aid to enhance donations where applicable
- Events – if you registered or expressed an interest in attending one of our events
- Charity news – if you registered to hear about the charity and the work we are doing
3.3.2. What data do we hold?
We will hold names, email address, contact details, address, photos, and videos where consent has been given.
3.3.3. How long do we hold this data for?
We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). Data may be held for longer periods where required by law or regulation and in order to establish, exercise or defend our legal rights. We will periodically review this data, to ensure that it is still relevant and necessary. For more information on this please ask to see our Data Retention Policy.
3.4 Our staff
We process personal data on all staff, including full and part time staff, temporary staff and volunteers, to enable us to comply with our obligations as an employer.
3.4.1. Why do we process this data?
We need to collect data about staff to enable us to comply with all applicable employment laws and to fulfil required activities such as HR and payroll. This includes:
- Maternity/paternity/parental leave
- Diversity requirements
- Performance Management
- Working hours and attendance and absence
- Safeguarding (including DBS and Single Central Register)
- Sick leave
- Legally required compliance training
- Health and Safety – accident or injuries at work
3.4.2. What data do we hold?
We will hold names, email address, contact details, address, photos, work entitlement, data relating to pension provision, education and career development data, data relating to professional life and economic situation (e.g. pay grade, tax deductions), DBS and safeguarding records including criminal records checks, and videos where consent has been given.
Not all of this information will be kept on every group within the organisation. For example, we would typically keep less personal data relating to volunteers than employees.
3.4.3. How long do we hold this data for?
We retain the personal data processed by us for as long as is considered necessary for us to comply with our legal obligations. This is especially so for areas such as Pensions and certain Health and Safety requirements.
4. People who use our website
Personal data may be collected when individuals fill in forms on our websites or by corresponding with us by phone, e-mail or otherwise. This includes information provided when an individual registers to use our websites, subscribes to our services, or makes an enquiry.
5. Sharing personal data
We will only share personal data with others when we are legally permitted and/or obliged to do so. When we share data with others, we put contractual arrangements and security mechanisms in place to protect the data and to comply with our data protection, confidentiality and security standards.
Personal data held by us may be transferred to:
- Local Authorities – we may share data with a local authority, when we have your consent. We may also be required to share data to prove that we are using the funds they have given us for the purposes agreed contractually.
- Social workers – we will share data with social workers who will be providing
on- going assistance and support.
- External course leaders, agency staff and volunteers – we will share data with external course leaders who we will assign to deliver a service on our behalf that you have chosen to attend.
- Third parties required to verify DBS and safeguarding needs and to meet HMRC/tax requirements to enable successful recruitment
We use third parties to support us in providing our services and to help provide, run and manage our internal database.
We may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.
Where we have any safeguarding concerns, we are permitted under GDPR to disclose personal data to the relevant authorities without the consent of the data subject.
6. Locations of processing
7. Individual’s rights
Individuals have certain rights over their personal data and data controllers are responsible for fulfilling these rights as follows:
- Individuals can request access to their personal data held by us as a data controller.
- Individuals can request us to rectify personal data submitted to us or, where appropriate, contact us via the relevant website registration page or by amending the personal details held on relevant applications with which they registered.
- Individuals can request that we erase their personal data.
- Where we process personal data based on consent, individuals may withdraw their consent at any time by contacting us or clicking on the unsubscribe link in an email received from us.
- Individuals have other rights to restrict or object to our processing of personal data and the right to data portability.
- Individuals can request information about any automated data processing that we may undertake.
If you wish to exercise any of these rights, send an email to firstname.lastname@example.org
We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to email@example.com – we will look into and respond to any complaints we receive.
You also have the right to lodge a complaint with the UK data protection regulator, the Information Commissioner’s Office (“ICO”). For further information on your rights and how to complain to the ICO, please refer to the ICO website https://ico.org.uk/concerns
9. Data controller and contact information
The data controller for BeyondAutism Charity is BeyondAutism Charity. If you have any questions about this privacy statement or how and why we process personal data, please contact us at:
17 Oval Way
10. Changes to our privacy statement
This privacy statement will be kept up to date with the latest developments required.
This privacy statement was last updated on 30/11/2021.