At DPAS we’re committed to protecting, respecting your privacy and being transparent in everything we do.
This notice explains:
Who this notice applies to;
When we collect information from you;
What type of information is collected from you;
How we use information;
How long we hold your information;
The situations where we may share your personal information;
Controlling your information for marketing;
Your data rights;
Keeping your information safe;
Keeping children and vulnerable people safe; and
Links to other websites.
We may change this policy from time to time so please check this page to ensure that you’re happy with any changes.
Any questions regarding our privacy practices should be sent by email to:
Nigel Gooding, DPO, 10 Oaktree Place, Exeter, EX2 8WA or email@example.com.
Questions for the DPO should be sent to DPAS-DPO@protonmail.com.
Who does this privacy notice apply to?
In this notice, all references to “DPAS”, “we”, “our” and “us” are to be taken as references to Gooding&Co Ltd, trading under the name the ‘Data Privacy Advisory Service’.
DPAS’s registration with the Information Commissioners Office as a Data Controller is number ZA283976.We provide Data Protection Officer Services in accordance with Articles 37 to 39 of the General Data Protection Regulation (GDPR). We also provide Consultancy Services and Training in the field of Data Protection more generally.
This privacy notice is separate to our main privacy notice which applies to our services generally. This privacy notice is specific to the processing of personal data which DPAS undertake in relation to the Framework agreement with Kirklees Council.
Under the Framework Agreement, DPAS are a Data Processor, and Kirklees Council are Data Controller. To see Kirklees Council’s Privacy Notice, please see their website.
This privacy notice is meant to inform the bodies to whom we may provide services for within the Kirklees Framework, such as schools, councils, of our policy in regard to processing data.
This privacy notice also acts as an information piece to those people whose personal data we may come in to contact with, as a result of our work with these bodies.
This notice applies to DPAS and is not a testament to how the bodies (i.e. the schools, councils etc) will treat personal data. To find that information, please contact the relevant body.
We promise at DPAS that personal data shall be:
processed lawfully, fairly and in a transparent manner.
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (i.e. we will apply the principle of ‘data minimisation’).
accurate and, where necessary, kept up to date.
We will take every reasonable step to ensure that personal data that are inaccurate, (having regard to the purposes for which they are processed), are erased or rectified without delay.
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
When do we collect information from you?
We collect information in the course of our business. The main prompt for our data collection is when:
You contact us in our capacity as a Data Protection Officer (DPO) for one of our Kirklees clients.
You email us or call us to enquire about our products and services or submit an online form in relation to a Lot under the Kirklees Framework.
We have been asked to contact you in relation to our business activity (i.e. your manager has asked us to speak to you about a service we provide or someone in your network has made an introduction).
You use our website (i.e. IP address in Google analytics).
We may also be given access to your data in relation to our services to the bodies (i.e. a DPAS team member may see staff names, or pupil lists when providing services under Lot 2 to a school). This type of access will be limited to the extent necessary to carry out the services and further processing (i.e. transfer of such data) will not be undertaken without a Data Processing Agreement being in place.
What type of information is collected from you?
The information we collect will change based on the reason we are processing your data. We will never collect more from you than we need.
When you contact us in our capacity as DPO, we will collect whatever information is necessary to fulfil our legal obligation to you and our contract with our client.
This will typically include your name and some details about why our client was processing your data and information about whether you feel they are meeting their data privacy obligations towards you. We may ask for verification to prove who you are and what your relationship is with our client.
You have the right to contact us in regard to all issues related to processing of your personal data. This includes contacting us to exercise your rights under the GDPR. We are bound by confidentiality in the performance of this task, in accordance with the Data Protection Act 2018.
You can contact our Chief DPO, Nigel Gooding, to find out more about how we process your personal data in confidentiality, by emailing firstname.lastname@example.org.
Enquiring about our products and services or submitting an online form
When you contact us enquiring about our products and services or Lots using the online form, we will collect whatever information is necessary prior to taking steps to enter into a contract with you.
This information will typically include the name and place of work of key contacts in your organisation and their contact details, such as phone numbers, email addresses, role and place of work. There is an option to provide ‘confidential information’. We advise that you do not submit any information here that is of a sensitive nature, especially personal data, and instead you ask us to contact you separately.
We may also process any other information that we have legitimately collected about you in relation to our other services (such as whether your organisation has paid for our training courses in the past) where this other purpose was known to you at the point of data collection. This information would only be processed in relation to engaging in a contract at your request.
Contacting you after a referral
When we contact you at the request of someone else, we will always tell you who we are and where we got your information from. We will do this as soon as is reasonably possible and no later than 28 days after first receiving your contact details. Wherever possible, we will ask the person referring you to us to make the introduction or to check with you whether it is ok for us to call you first.
The information that we will have processed prior to that point will be likely minimal and will include your name, job title/ place of work and a contact point such as an email or telephone number.
The lawful basis we rely on when contacting you about our products or services at the request of someone else will be different depending on the context. For the most part, we will be doing this to enter in to a contract with your organisation. Other times, it will be in our legitimate interest to do so and you can request that we stop processing your data. Where you have agreed for us to get in touch, we will be doing so based on your consent and you can withdraw this at any time.
You use our website
However, some cookies and tagging/ tracking technologies that we use, such as Google Analytics, do let us know some information which may constitute personal data. An example of this is our Google Analytics Cookies that tell us about which of our pages a certain IP address accessed, when and where it was accessed from.
We do this under the lawful basis of legitimate interest.
It is possible to switch off cookies by setting your browser preferences although our website may lose some of its functionality in such an event. For more information on how to switch off cookies on your computer and about the cookies we use, please visit our full cookies policy.
How do we use your personal information now that we have collected it?
We use personal information about you in connection with the following purposes:
Fulfilling your requests:
Respond to you following a DPO related request, concern or casework activity;
Provide you with the information, products and services that you have requested from us;
Complete any transaction you are undertaking with us;
Carry out our obligations arising from any contracts entered between you and us;
Meeting a legal or statutory obligation.
Providing you with information about other goods and services we offer that are similar to those that you have already purchased, enquired about or may be of interest to your Organisation (using the PECR soft-opt in exemption and legitimate interest in GDPR);
To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you, which may be based on your activity on our website(s) or the website of another DPAS Company or third parties' websites; and,
To make suggestions and recommendations to you about our services that may interest your business.
We will always check against the TPS before getting in touch.
We never market to data subjects who have contacted us when acting in our capacity as a DPO.
Any unsolicited business to business marketing will be using information publicly available, such as a contact telephone/ email address.
If you no longer wish to be contacted for marketing purposes, please email: email@example.com.
Service Improvements and Account Management:
To ensure that content from our site is presented in the most effective manner for you and for your computer;
To administer our site and for internal business administration and operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
To notify you about changes to our service;
To manage and operate your account with us.
We do not use profiling or automated decision-making tools.
How long do we hold your information?
We will hold your data for no longer than we need it for. This will be context dependant on our relationship with you and why we are processing your data. We may have legal (i.e. a financial obligation with HMRC) reasons to keep your data beyond its immediate use, but this will never be for longer than industry standard.
All DPO related casework will be held for a minimum of 6 years before being destroyed.
Where not already stated in this policy, you can view our retention schedule here.
Sharing your personal information
In our capacity as a DPO we may have to discuss your case with your Data Controller. We will try and do this in most cases without disclosing personal details. However, in some cases it will be impossible to do so without disclosing your name or other identifiable information. In that instance we will always advise you before contacting the Data Controller.
We will never use your information for any other purpose if you have contacted us in our capacity as a DPO.
If we have a business relationship with you, we may pass some information to our third-party service providers, agents, subcontractor and other associated organisations for the purposes of completing tasks and providing services to you on our behalf.
When we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we will always have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes. Please be reassured that we will not release your information to third parties beyond the DPAS Network for them to use for their own direct marketing purposes, unless you have requested us to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.
These third parties may include:
Insightly – Customer Management Software
Xero – Invoicing software
Knowledge Zone – E-learning Platform
Asana – Project Management Software
Mailchimp – Email Marketing
We may share your information with credit reference agencies and other companies for use in credit decisions, for fraud prevention.
We may share your information with 3rdparty contractors or Organisations working with DPAS to fulfil supplier contracts. We will only share information that is relevant to fulfilling your request. For example, if you are booked onto a DPAS training course, we will share your information with the course trainer.
We operate internationally. As part of the services offered to you by DPAS, the information, which you provide to us may be transferred to countries outside the European Union (“EU”) and the European Economic Area (EEA).
By way of example, this may happen if any of our servers are from time to time located in a country outside of the EEA. These countries may not have similar Data Protection laws to the UK. By submitting your personal data, you’re agreeing to this transfer, storing or processing of data outside the EEA. If we transfer your information outside of the EEA in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Policy.
If you use our services while you are outside the EEA, your information may be transferred outside the EEA in order to provide you with those services.
Controlling your information for marketing:
If we do not have a business relationship with you, then you have a choice about whether or not you wish to receive information from us.
Where we have identifiable information (e.g. Joe.Bloggs@example-corporation.com) we will not contact you for marketing purposes by email, phone or text message unless you have given your prior, explicit consent. We will not contact you for marketing purposes by post if you have indicated that you do not wish to be contacted.
Where we have your business contact details (e.g. Information@example-corporation.com) and no personally identifiable information, we will send your business marketing where we think you may be interested in our products or services.
You have the absolute right to object to us processing your personal information for marketing purposes and to withdraw your consent when that is the basis we rely on.
You can exercise these rights and change your marketing preferences at any time by contacting us by email: firstname.lastname@example.org by clicking unsubscribe on our emails.
Your data rights:
The accuracy of your information is important to us. We’re working on ways to make it easier for you to review and correct the information that we hold about you. In the meantime, if you change email address, or any of the other information we hold about you is inaccurate or out of date, please email us at: email@example.com
You have the right to ask for access to a copy of the personal information DPAS holds about you.
If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.
Our Data Protection Officer is Nigel Gooding and you can contact him at: DPAS-DPO@protonmail.com.
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the Information Commissioner’s Office (ICO). Information about how to complain to the ICO can be found here: https://ico.org.uk/make-a-complaint/
Keeping your information safe
We will never keep paper copies of any of your personal data.
Our encrypted DPO email is one of most secure systems on the market. ProtonMail is hosted entirely in Switzerland, under the protection of the world's strongest privacy laws.
Further details can be found here: https://protonmail.com/security-details
We have a duty under law to keep all DPO casework confidential. Only our trained DPO staff will review the information you have sent and ensure it is kept within the secure email system we have developed.
All DPO casework is password protected and securely held.
We use Google Cloud platform to store your non-DPO and non-training related personal information as it provides some of the best cyber security in the business. To read the detailed specification of how they keep your data safe, please click on the link below.
We are moving to a CRM based system for all personal information related to our training courses. This system has servers in the EEA and your data will be hosted there. For more information on this, please contact firstname.lastname@example.org.
Non-sensitive details and non-DPO mails (your email address etc.) are transmitted normally over the Internet and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
Keeping children and vulnerable people safe
Our work in Kirklees requires us to work closely with a large number of schools in the area. DPAS require all staff and contractors working with schools and councils to have at least a Basic certification from the Disclosure and Barring Service to ensure that we protect children and vulnerable adults from harm, in accordance with the Safeguarding Vulnerable Groups Act 2006, and in line with best practice.
In DPAS’s general work, we only process children/ vulnerable people’s data with a parent/ guardian’s permission. However, due to the nature of the services we provide under this Framework Agreement, we may need to process such data without this permission. Where this is the case, DPAS will be acting in capacity as Data Processor, and Kirklees Council will be the Controller (as defined in GDPR).
Where we learn that we have collected children’s or vulnerable people’s data without their guardian’s permission, and we do not have a lawful basis under the Framework Agreement, or another legal obligation, then we will take steps to delete the information as soon as possible.
Those who have questions or concerns regarding this, should please contact: DPAS-DPO@protonmail.com.
Links to other websites
In addition, if you linked to our website from a third-party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third-party site and recommend that you check the policy of that third-party site.
This Policy was last updated: 14thJanuary 2019.
Review and Approval
This policy will be reviewed regularly and may be altered from time to time in light of legislative changes or other prevailing circumstances.