Privacy and Data Protection Policy
Last updated: April 2023, October 2024
Your privacy is important to us. It is Haye Independent Services Ltd’s also trading as "The Big e" policy to respect your privacy and comply with any applicable law and regulation regarding any personal data we may collect about you, including across our website, https://whatsthebige.com, and our services.
We are registered with the Information Commissioner's Office (ICO), and our practice is fully compliant with the requirements to protect your/the child's personal information. When we do this, we are the 'controller' or and the 'processor' of this data for the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. These regulations were amended on 31 December 2020 following the UK’s departure from the European Union (EU). Our registration number is ZB010761, and the certificate is available upon request.
If you have any questions about this policy, please email hello@whatsthebige.com and we'd be happy to help.
Contents
Data We Collect
Our Lawful Basis for Processing
How we may share your information
How we protect your information
Data Retention
Your Rights
Changes to this policy
Complaints
Data We Collect
Data we collect includes both data you knowingly and actively provide us when using or participating in any of our services and promotions, and any data automatically sent by your devices while accessing our products, services, and website.
We will only record and keep information about your child relevant to your case and the services we provide. Unless instructed by you we will not make it available to anyone without your knowledge.
We will work with you and keep you informed, and you decide how the information will be shared and with whom. You do not have to share any information with anyone you do not want to, and you have the right to object to any of the work that we do.
Personal Data and Sensitive Data
Personal data is any data that can be used to identify you or another person. Sensitive data also known as special category data is personal data that needs more protection because it is sensitive.
We collect data from you and may receive data about you or your child from the child's educational setting or other professionals if agreed by you. This data is likely to include but not limited to;
names of you and your child
critical people
telephone numbers
email address and address details,
date of birth
names of the class and educational setting
you and your child's ethnicity and gender.
relevant information about your child's development, attendance, attainment, results of previous assessments, including health and care issues, special educational needs and disabilities (SEND), or other professional involvement.
Our Lawful Basis for Processing
Under Data Protection Law we must have a lawful basis for processing your personal and sensitive data. We only collect and use your personal information when we have a legitimate reason for doing so.
In the UK, consent to processing personal information may be required from children who are 12 years of age or older. We presume that when you are providing their express consent to us, you have the authority of your child to share their data (where appropriate). In some circumstances, it may be appropriate to obtain express consent from your child or young person as well before processing your data.
We process your data by collecting and storing personal information on our Customer Relationship Management (CRM) system.
This information may be processed for different reasons but are necessary to provide our services to you. These are detailed, non-exhaustively, below;
Consent. We have specifically asked for your permission to use your personal data for a specified purpose, and you've agreed. For example, case management, consent to share for us to advocate on your behalf with the Local Authority and for the sharing of information, or signing up to our newsletter
Contract. We will process your data as part of your agreement with us, which is signed and agreed by both parties. For example, completing our new client contact form, accepting your client letter and completing our terms and conditions, which outlines our personalised services with you.
Legal obligation. Where the law requires it, we may need to collect, share and, or process your personal data. For example, ongoing case management, sending your data and information on to the tribunal services, education, health and or care services, exercising and meeting our contractual rights
Vital interest. Where there is an immediate risk to you or your child's life. For example, we're concerned during a tutoring session, assessment, school visit or meeting.
Legitimate interest. For example, sub-processors for operational management and administrative purposes, IT, financial transactions etc. Service improvements through reports and statistics, system or business updates.
Where we process sensitive data, for example, data concerning health, racial or ethnic origin, we need to meet an additional condition in the GDPR. For us, this may rely on;
Explicit Consent. You have given permission and provided written confirmation directly to us.
Vital Interest. Where the data subject is physically or legally incapable of giving consent, processing is necessary to protect the vital interests of the data subject or of another natural person.
Made public by the data subject. Processing relates to personal data, which is purposely made public by the data subject.
How we may share your information
With our vendors / sub-processors. We may share information with vendors we hire to carry out specific work for us to deliver our services. This includes but is not limited to payment organisations & processing, email delivery providers, providing our website, essential business services such IT/database services, couriers, insurers, accountants etc.
In an emergency. We have a duty of care to your child, and so we would have to disregard any promises of confidentiality if we thought the child was in any kind of danger and would be harmed or cause harm to others. Please read our safeguarding policy.
With professionals. We may wish to discuss the work we do with you and your child during a supervision session with an Educational Psychologist and/or other professionals to get their advice and check that we are drawing reasonable conclusions and making good decisions. In this instance, we will not share any personal information about you or your child that would allow them to identify you.
The learning and training of others. If we wished to share any work that we do to support the learning or training of others, such as describing a case for training purposes, your/your child's personal information would be thoroughly anonymised. So, they would not be able to identify you. This might also be used for our own research and monitoring processes.
To comply with the law. We may share information in response to a request for information if we believe disclosure is required by law, including meeting national security or law enforcement requirements. Where allowed and feasible, we will attempt to provide you with prior notice before disclosing your information in response to such a request. The only exception to this is if the law requires us to provide information about you or your child without your consent, such as a court order or a safeguarding issue.
To enforce our policies and rights. We may share information if needed to enforce our Terms and Conditions or other policies, or to protect the rights, property, and safety of ourselves and others.
How we protect your information
It is our responsibility to ensure that your/your child's information is stored securely and not accessed by anyone else during this time. Your/your child's information will be stored electronically, password protected and where possible require multi-factor verification. As a client, you will also have access to your own personal folder.
All paperwork is kept in a lockable cabinet. Texts will be deleted unless they provide essential information, in which case they will be saved electronically. When we send documents to you, we may use an email secure client, password protect your documents or use your personal folder.
We will ensure that only authorised people (staff or contractors) have access to your information and have the appropriate training for the tasks at hand. We will take appropriate measures to ensure that the personal information disclosed to us is kept secure, accurate and up-to-date and only kept for the reason it was collected.
Despite all our precautions, no data transmission over the internet can be guaranteed to be 100% secure. While we strive to protect your personal information, we cannot guarantee the security of any information you disclose to us through the internet or while stored on our systems or in our care is absolutely safe from intrusion by others. We also aim to put measures in place to protect against unauthorised or unlawful use and accidental loss or destruction.
Data Retention
We will retain your data, for as long as it is needed for the purposes it was collected. This could be until you ask us to delete it or seven years after the child or young person reaches 25 years old. If we don’t need this information, we will return it to you.
We keep this data so that information is available if future involvement is needed/requested or to explain or defend our professional decisions and actions, if an accusation of professional negligence or other misconduct was made against us in the future. We will review the information we hold and when there is no longer a need for us to hold it, we will either delete it securely or where possible, we may anonymise information where it is not linked to an individual, so that information may be kept for longer.
Your Rights
Providing us with your personal information is part of our contractual requirement, and for us to provide the services, you have requested. Parental consent is also required from those adults with parental responsibility for a child up to 13 in the UK, although we request it up to the age of 18. Our procedures ensure that they cover your rights, and your child's rights, including:
The right to be informed - This has been met by the provision of this privacy policy and similar information when we communicate with you directly.
The right of access - You have the right to ask us for copies of your personal information.
The right to rectification - You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
The right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
The right to restrict processing - You have the right to ask us to restrict the processing of your information in certain circumstances.
The right to data portability - You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
The right to object - You have the right to object to the processing of your personal information in certain circumstances.
Rights about automated decision making and profiling - You have the right to object to being subject to a decision based solely on automated processing, including profiling.
At any time, you, or your child, have the right to request to see any information that we hold about you or your child. You can do this by contacting us at hello@whatsthebige.com
Should you wish for your details to be amended or deleted and do so within 30 days free of charge.
Changes to this policy
We can update this Privacy Policy at any time and recommend you check it regularly for updates. We won't notify you to every little change, but if there are any really important changes to this or how we use your information we'll let you know either through our website or through an email update. We encourage you to review our privacy policy whenever you access our services.
Complaints
If you have any concerns with how your data is handled, you can contact us directly at hello@whatsthebige.com
The Information Commissioner's Office (ICO) regulates data protection and privacy matters in the UK. You have the right to contact them and/or complain if you are unhappy with how we use your data. You can contact them at www.ico.org.uk