Foundation Years privacy statement
- What is the Foundation Years?
- Why do we use your personal data?
- Explaining the legal bases we rely on
- What sort of personal data do we collect?
- How and when do we collect your personal data?
- Profiling: making our communications relevant to you
- Direct marketing
- How we protect your personal data
- How long will we keep your personal data?
- Who do we share your personal data with?
- Where your personal data may be processed
- What are your rights over your personal data?
- Contacting the Regulator
- Any questions?
We know that there’s a lot of information here, but we want you to be fully informed about your rights, and how the Foundation Years uses your data.
We hope the following sections will answer any questions you have but if not, please do get in touch with us.
It’s likely that we’ll need to change this Privacy Notice from time to time. We’ll notify you of any significant changes, but you’re welcome to come back and check it whenever you wish.
2. What is the Foundation Years?
The Foundation Years is funded by the Department for Education and delivered by Coram Family and Childcare. It is the platform for DfE to engage with the early years sector.
We are a ‘data controller’ for the purposes of the EU General Data Protection Regulation 2016/679 (‘Data Protection Law’). This means that we are responsible for, and control the processing of, your personal information.
3. Why do we use your personal data?
We collect and use personal data for a number of purposes:
- To provide information to you that we have reason to believe will be of interest to you.
- To ask you to engage with us, for example, to attend an event or complete a survey
- To keep a record of your relationship with us.
If you do not provide this information, we will not be able to sign you up for a particular event, or provide goods and services you have requested.
We may also use your personal information to:
- To invite you to participate in surveys or research.
- To respond to your queries and complaints.
- To protect our service users, visitors, staff, premises and assets from crime, we operate CCTV systems outside our buildings which record images for security.
For further information about why we use your personal data, please refer the privacy notice specific to the service you are using.
4. Explaining the legal bases we rely on
The law on data protection sets out a number of different reasons for which an organisation may collect and process your personal data, including:
In specific situations we can collect and process your data with your consent.
For example, when you tick a box to receive email newsletters from us.
When collecting your personal data, we’ll always make clear to you which data is necessary in connection with a particular service.
In certain circumstances, we need your personal data to comply with our contractual obligations. For example, if you have booked on to an event, we will gather your information in order to let you know details for attendance.
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our charity and which does not materially impact your rights, freedom or interests. For example, to send you relevant, personalised communications by post in relation to updates, campaigns, services and products.
In limited cases we may need to use your data to protect your vital interests, or those of another person.
For example, we may share personal information with agencies, including local authority services and the police, where it is necessary to safeguard the welfare of a child or adult at risk. Any such decisions will adhere to the Government’s advice: Information Sharing: Advice for practitioners providing safeguarding services to children, young people, parents and carers (2015).
5. What sort of personal data do we collect?
Personal data is any information that can be used to identify you, either by itself or in conjunction with other information that we hold, or may potentially have access to.
We only collect personal data relevant to the type of transactions you have with Foundation Years. So for example, if you request services or products, register for our training or an event, sign up to any of Foundation Year’s activities or online content (such as newsletters), or contact us by telephone, email, social media, post or text message, we may collect and process the personal information that you’ve provided.
This personal information may include:
- Personal details (name, place of work).
- Contact details (email, address, telephone etc.)
- Details of your interests and preferences (such as areas of interest).
- Details of your interactions with us.
- Details of your visits to our websites, and which website you came from to ours.
- Your image may be recorded on CCTV when you visit one of our offices.
When collecting your personal data we’ll always make clear to you which data is necessary in connection to a particular service and why we need it.
A special note about the Sensitive Personal Information we hold:
Data Protection Law recognises that some categories of personal information are more sensitive. Sensitive Personal Information can include information about a person’s health, race, ethnic origin, political opinions, sex life, sexual orientation or religious beliefs.
If you contact us, you may choose to provide details of a sensitive nature.
We will only use this information:
- For the purposes of dealing with your enquiry, training our staff, and quality monitoring or evaluating the services we provide.
- We will not pass on your details to anyone else without your express permission except in exceptional circumstances. Examples of this might include anyone reporting serious self-harm or posing a threat to others, or children contacting us and sharing serious issues such as physical abuse or exploitation.
6. How and when do we collect your personal data?
We collect information from you in the following ways:
When you interact with us directly
This could be:
- When you access any of our services.
- When you ask a member of our staff to email you information about a service or product.
- When you register with us for training or an event.
- When you contact us by any means with queries, complaints etc.
- When you fill out any forms.
- When you choose to respond to one of our surveys.
When you visit our website
We gather general information which might include which pages you visit most often and which services, events or information is of most interest to you. We may also track which pages you visit when you click on links in emails from us. We also use “cookies” to help our site run effectively.
We use this information to personalise the way our websites are presented when you visit, to make improvements, and to ensure we provide the best service and experience for you. Whenever possible we use anonymous information which does not identify individual visitors to our website.
When you access Foundation Year’s social media
We might also obtain your personal data through your use of social media such as Facebook, Twitter, LinkedIn or YouTube, depending on your settings or the privacy notices of these social media and messaging services. To change your settings on these services, please refer to their individual privacy notices, which will tell you how to do this (all links open in a new window; please note we can’t be responsible for the content of external websites):
When you visit our offices
Our premises usually operate CCTV systems for the security of both visitors and staff. These systems may record your image during your visit. You will be notified of the presence of CCTV cameras by clear signs which will also provide you with a number to call if you have any queries.
From other information that is available to the public
In order to tailor our communications with you to your background and interests we may collect information about you from publicly available sources or through third party subscription services or service providers (we have provided further details about these below – see ‘Profiling: Making our communications relevant to you’).
7. Profiling: making our communications relevant to you
We want to ensure that what we share with our subscribers is relevant to them. For this reason we sometimes do something called 'profiling'. It's a standard practice across the charity sector, and simply means we look at your personal information – your background – and consider what's appropriate to ask of you or send to you.
We do this manually, by looking at information that you've given us, or information that's publicly available – for example on social media and other public sources. It means we can tailor communications so that they are relevant (perhaps in relation to one of our services in your area), timely, and respectful.
If you would rather your personal information is not used for the purposes of profiling, please email us at email@example.com with the subject line 'Please stop analysis of my data' or by contacting us at Data Protection, Coram, 41 Brunswick Square, London, WC1N 1AX.
8. Direct marketing
We will only contact you about our work by phone, email or text message, if you have agreed for us to contact you in this manner.
There are several ways you can stop direct marketing communications from us:
- Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails from that particular service.
- Email us at firstname.lastname@example.org or write to us at Supporter Care, Coram Campus, 41 Brunswick Square, London, WC1N 1AX.
9. How we protect your personal data
We know how much data security matters to you, and with this in mind, we treat your data with the utmost care. Coram Family and Childcare employs appropriate administrative, technical, organisational, and physical security measures to protect your information and data against accidental or unlawful destruction, loss, or alteration, and against unauthorised disclosure and access.
We use standard industry practices to protect user information, including firewalls, SSL encryption, and system redundancies. Our staff and volunteers all receive mandatory data protection and information security training and we have a set of detailed data protection procedures that personnel are required to follow when handling personal data.
Unfortunately, no data transmission or storage can be guaranteed to be 100% secure. While we strive to protect your personal information, we cannot guarantee security of the information you transmit to us via email or through our websites.
Where we use external companies to collect or process personal data on our behalf we do comprehensive checks before we work with them, and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they process on our behalf. We have a robust partner monitoring framework to ensure these contractual obligations are met.
10. How long will we keep your personal data?
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected. This will be based on either a legal requirement (where a law says we have to keep information for a specific period of time) or accepted business practice.
At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
11. Who do we share your personal data with?
The personal information we collect about you will mainly be used by our staff at Coram Family and Childcare and Hempsall’s so that we can support you.
We will never sell or share your personal information with organisations so that they can contact you for any marketing activities. Nor do we sell any information about your web browsing activity.
We may, however, share your personal data with trusted third parties who work with us or on our behalf to deliver our services.
Here’s the policy we apply to those organisations to keep your data safe and protect your privacy:
- We provide only the information they need to perform their specific services.
- They may only use your data for the exact purposes we specify in our contract with them.
- We work closely with them to ensure that your privacy is respected and protected at all times.
- They are required to comply with all relevant Data Protection Laws.
- If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
Examples of the kind of third parties we work with are:
- IT companies who support our websites and other business systems.
- Direct marketing companies who help us manage our electronic communications with you.
Sharing your data with third parties for their own purposes:
We will only do this in very specific circumstances, for example:
- For fraud management, we may share information about fraudulent or potentially fraudulent activity in our premises or systems. This may include sharing data about individuals with law enforcement bodies.
- We may also be required to disclose your personal data to the police or other enforcement, regulatory or Government body, upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of our supporters, service users and staff into consideration.
- We may, from time to time, expand, reduce or sell Coram Family and Childcare or Hempsall’s and this may involve the transfer of divisions or the whole business to new owners. If this happens, your personal data will, where relevant, be transferred to the new owner or controlling party, under the terms of this Privacy Notice.
For further information please contact our Managing Director for Compliance.
12. Where your personal data may be processed
Sometimes we will need to share your personal data with third parties outside the European Economic Area (EEA), such as the USA.
Protecting your data outside the EEA
The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway. We may transfer personal data that we collect from you to third-party data processors in countries that are outside the EEA.
For example, this might be required in order to process your payment details or provide support services.
If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA. For example, our contracts with third parties stipulate the standards they must follow at all times. If you wish for more information about these contracts please contact our Managing Director for Compliance.
Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.
13. What are your rights over your personal data?
We want to ensure you remain in control of your personal data. Part of this is making sure you understand your legal rights.
You have the right to:
- Ask us what information we hold about you – and be given that information (usually free of charge).
- Ask us to correct, change or update any information we hold about you.
- Withdraw your consent for us to use your information.
- Ask us to delete your information entirely. For example, when you withdraw consent, or object to us processing your data and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end.
- Object to your data being processed by us (for legitimate interests) for reasons connected to your individual situation. We must do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
- Make a complaint or ask any other question in relation to your information.
- Ask us to stop using your personal data for direct marketing (either through specific channels, or all channels). We must always comply with your request.
- Review by a Coram staff member of any decision made based solely on automatic processing of your data (i.e. where no human has yet reviewed the outcome and criteria for the decision).
To exercise any of your rights, or ask us any questions about our data protection practices, please either speak to your Coram contact (if you have one) or email email@example.com.
You can also write to us at:
Managing Director of Compliance, Coram Campus, 41 Brunswick Square, London, WC1N 1AX.
If we choose not to action your request we will explain to you the reasons for our refusal.
Checking your identity
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
14. Contacting the Regulator
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
You can contact them by calling 0303 123 1113 (local rate) or 01625 545745 (national rate)
Or go online to www.ico.org.uk/concerns (opens in a new window; please note we can't be responsible for the content of external websites)
Or write to them at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
15. Any questions?
We hope this Privacy Notice has been helpful in setting out the way we handle your personal data and your rights to control it.
If you have any questions that haven’t been covered, please contact our Managing Director for Compliance who will be pleased to help you:
- Email us at firstname.lastname@example.org
- Or write to us at Managing Director of Compliance, Coram Campus, 41 Brunswick Square, London, WC1N 1AZ.
This notice was last updated on 04/01/2023