SAFEcic is committed to protecting the privacy of customers. SAFEcic complies with GDPR and the Data Protection Act 2018, and does not share data with third parties except where required by law.
This privacy notice sets out how SAFEcic uses and protects any information that customers give SAFEcic when using any of SAFEcic's services.
Purpose of data processing
The overriding principle for SAFEcic in processing data is that is done fairly, lawfully and transparently. The purpose of Data Processing by SAFEcic is to undertake its legitimate business interest to provide safeguarding services.
We will treat any personal information by which a customer can be identified (i.e. name, address, email etc.) in accordance with the provisions of General Data Protection Regulations (GDPR). and the Data Protection Act 2018; and will not share information with any third party, except where required by law. Rigorous procedures have been established by SAFEcic to reduce risk of compromise and ensure data is processed lawfully.
SAFEcic Key Roles
The Data Controller is – Michael Carter, Director, SAFEcic
The Data Protection Officer is - The Office Manager, SAFEcic
They can be contacted at –
SAFEcic, Unit 10 Progress Way, Mid Suffolk Business Park, Eye, Suffolk IP23 7HU
SAFEcic – Legitimate Interest
Legitimate Interest is the primary basis on which SAFEcic processes data. This is necessary to enable the effective and safe provision of SAFEcic's services. The data SAFEcic processes, as part of its business operations, has minimal impact on customer’s privacy. The principle beneficiaries of SAFEcic processing data on this basis are customers who wish to utilise our services.
SAFEcic will only use individuals’ data in ways they would reasonably expect, unless we have a very good reason not to, such as an overriding duty to ensure a person’s safety. Data will only be shared with third parties in order to process the legitimate interest, such as processing payments for training or DBS checks.
Individuals who are contacted by SAFEcic as part of any marketing initiative will be given clear information about how to ‘opt out’ of future contact should they wish to (see ‘Consent’)
SAFEcic has undertaken an assessment of its data processes to ensure that our Legitimate Interest is necessary and proportionate and is the least intrusive basis for processing our customer’s data.
In circumstances where Legitimate Interest is not the most proportionate basis to process data we will seek the consent of the person concerned. Personal data will be processed by SAFEcic employees, contracted staff and volunteers in accordance with this Privacy Notice
Data Subject Rights
Data Subjects have the following rights –
- Right to be Informed
- Right of Access
- Right to Rectification
- Right of Erasure
- Right to Restrict Processing
- Right to Data Portability
- Right to Object
- Rights related to Automated Decision Making and Profiling
SAFEcic will ensure that the rights of data subjects are complied within in accordance with guidance provided by the Information Commissioners Office under GDPR –
Is SAFEcic a Data Controller or a Data Processor? (as defined by GDPR).
SAFEcic fulfills the GDPR definition for data controller, so is not considered a data processor. See this explanation for further details.
Data Protection Impact Assessment (DPIA)
SAFEcic has not undertaken a DPIA as our processing is not likely to result in a high risk to individuals’ interests or their privacy. This decision will be reviewed on a quarterly basis to consider any change in circumstances which mean that a DPIA will be appropriate.
No sensitive personal data is obtained or retained by SAFEcic
Consent will be used on a limited basis by SAFEcic in respect of consent to receive marketing information, newsletters and training updates. Any consent request will be unambiguous and involve a clear affirmative action (an opt-in). It will be separate from other terms and conditions and will not be a precondition of signing up to a service. Any personal data obtained through consent will be retained securely, will be used solely by SAFEcic and will not be passed to third parties except where required by law
How we check that the information we hold is accurate and up to date
SAFEcic has completed an Information Asset Register (IAR) to enable assessment of data processing procedures. This will be reviewed, as a minimum, on a quarterly basis to ensure that processes, and data retained, are accurate and up to date.
Data Retention Periods
Data retention periods are outlined on the IAR and will be reviewed subject to need and any changes in legislation.
Instructions to staff on how to collect, use and delete personal data
SAFEcic employees and contracted staff take part in training in relation to Data Protection in order to ensure compliance with GDPR and Data Protection is a standing agenda item on quarterly team meetings. All employees and contracted staff act in accordance with the SAFEcic Data Protection Policy.
Disclosure of personal information
In most circumstances we will not disclose personal data without consent unless it is outlined in this notice. However, in some circumstances we can pass on personal data without consent, for example to prevent and detect crime and to produce anonymised statistics.
Any suspected data breaches should be reported to the Data Controller who will assess impact and consider further action in accordance with statutory guidance issued by the Information Commissioners Office.
Controlling customers' personal information
Customers may choose to restrict the collection or use of their personal information and if they have previously agreed to us using their personal information for direct marketing purposes, they may change their mind at any time by writing to or emailing us
We will not sell, distribute or lease any personal information to third parties unless we have permission or are required by law to do so. Data will only be shared with third parties in order to process the legitimate interest, such as processing payments for training or DBS checks.
Access to personal information
SAFEcic tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 2018. If we do hold information about an individual we will:
- give them a description of it;
- tell them why we are holding it;
- tell them who it could be disclosed to; and
- let them have a copy of the information in an intelligible form.
To make a request to SAFEcic for any personal information we may hold under the Data Protection Act 2018, anyone may request details of personal information which we hold about them . A small fee will be payable. If they would like a copy of the information held on them they can write to The Data Controller, SAFEcic, Unit 10, Progress Way, Mid-Suffolk Business Park, Eye, Suffolk. IP23 7HU
If they believe that any information we are holding on them is incorrect or incomplete, they should write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect. If they agree, we will try to deal with their request informally, for example by providing the specific information needed over the telephone. If we do hold information anyone can ask us to correct any mistakes by contacting the Data Controller.
We undertake to protect and respect individual disclosures by any staff or organisation on any subject, except where required by law; or unless we have significant concern about the safety or security of a child, young person or adult at risk. In this event we will raise our concern directly with the individual (although there may be exceptional circumstances in which this may not be appropriate) and negotiate a mutually agreed plan of action.
People who use our Services
This privacy notice relates only to SAFEcic web sites. Links to other web sites are not covered by this privacy statement. Should we ask customers to provide certain information by which they can be identified when using this website, then they can be assured that it will only be used in accordance with this privacy statement. SAFEcic may change this policy from time to time and customers should check the privacy notice web page from time to time to ensure that they are happy with any changes.
What we collect
We may collect the following information:
- name and job title
- contact information including email address
- demographic information such as postcode, preferences and interests
- IP address of device used to access our websites
- other information relevant to customer surveys and/or offers
What we do with the information we gather
We require this information to understand customers needs and provide a better service, and in particular for the following reasons:
- internal record keeping.
- we may use the information to improve our products and services.
- we may periodically send promotional emails about new products, special offers or other information which we think customers may find of interest using the email address which they have provided.
- from time to time, we may also use customer information to contact them for market research purposes. We may contact customers by email, phone or mail. We may use the information to customise the website according to customers' interests.
We are committed to ensuring that customers' information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
Visitors to SAFEcic's Websites
A cookie is a small file which asks permission to be placed on devices used to access SAFEcic websites. Once they agree, the file is added and the cookie helps analyse web traffic or lets them know when they visit a particular site. Cookies allow web applications to respond to customers as an individual. The web application can tailor its operations to their needs, likes and dislikes by gathering and remembering information about their preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide customers with a better website, by enabling us to monitor which pages they find useful and which they do not. A cookie in no way gives us access to their computer or any information about them , other than the data they choose to share with us.
They can choose to accept or decline cookies. Most web browsers automatically accept cookies, but they can usually modify their browser setting to decline cookies if they prefer. This may prevent them from taking full advantage of the website.
Links to other websites
Our website may contain links to other websites of interest. However, once customers have used these links to leave our site, they should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which customers provide whilst visiting such sites and such sites are not governed by this privacy statement. They should exercise caution and look at the privacy statement applicable to the website in question.
SAFEcic employ contracted staff to undertake IT support for the maintenance, development and security of the SAFEcic website. This includes the provision of security systems to reduce the risk of a data breach through an external third party. IT support staff do not retain personal data and act in accordance with the SAFEcic Data Protection Policy.
People who contact us via social media
SAFEcic use social media to promote it’s services and public information relating to safeguarding. Any private or direct message via social media the message will be stored under the terms and conditions of the relevant social media service provider. Data obtained by SAFEcic will not be shared with any other organisations except where required by law.
People who email us
All SAFEcic email traffic is encrypted in line with government guidance. If a customer's email service does not support encryption, they should be aware their emails may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Customers should be aware that they have a responsibility to ensure that any email they send is within the bounds of the law.
Our email server runs cPanel and WHM (currently version 6.9). The configuration of our email server ensures encryption and decryption in line with or exceeding government guidance and is kept updated to the latest reliable configuration.
People who use our LiveChat service
We use a third party provider to supply and support our LiveChat service, which we use to handle customer enquiries in real time. When customers use the LiveChat service we may collect names, email address, address and phone number if the customer chooses. The contents of all LiveChat sessions are retained . This information will be retained for two years and will not be shared with any other organisations except where required by law.
Customers can request a transcript of their LiveChat session if they provide an email address at the start of their session or when prompted at the end.
People who shop with us
The majority of orders are processed on our dedicated safecic.co.uk server. Payment is taken either directly through invoice and settled by the customer via BACS or cheque; or via third party payment platforms, currently WorldPay (https://www.worldpay.com/uk) and PayPal (https://www.paypal.com/uk/home). No banking or payment details are copied or retained by SAFEcic. Details of accounts are retained for the HRMC's seven year statutory period.
Requesting a DBS Check
Individuals who request a DBS check do so in order to comply with statutory requirements. SAFEcic strictly adheres to theDBS Code of Practice.SAFEcic also has a written policy on the secure handling of information provided by DBS, electronically or otherwise, and makes it available to individuals at the point of requesting them to complete a DBS application form or asking consent to use their information to access any service DBS provides.
Customer organisations sign up to the SAFEcic DBS agreement and are also required to adhere to the DBS Code of Practice, including the handling and retention of DBS certificate information
Personal identification documents received by SAFEcic by post will be checked and return posted (second class signed for delivery) in the shortest feasible time, usually same day. On occasions when same day is not feasible, the documents will be stored securely until they can be posted.
Personal identification documents presented to SAFEcic in person will be processed immediately and not retained by SAFEcic. Any personal details given to SAFEcic solely for the purpose of DBS checks will be held securely, will not be used for marketing purposes and will not be shared with any third party (unless required by law).
As part of our DBS compliance processes we will need to provide evidence that the required declarations and consent have been freely obtained from the applicant. SAFEcic will provide evidence that these have been captured and that this was given by the individual to whom the application relates. This could be, for example, via a screenshot or a signed and dated paper declaration by the individual
‘Membership’ is a specific service offered by SAFEcic to support organisations who wish to develop and manage their safeguarding policies and procedures. Membership is obtained and managed through SAFEcic and processed on a standalone database on the secure cloud. Data, including name, organisation, email and telephone contact details are retained for the period of membership and subsequently for a period of ten years
Newsletter Subscription and Marketing
SAFEcic will contact clients who use our services from time to time to provide them with information about developments in safeguarding and about future safeguarding training. This will be undertaken with the consent of the individual concerned (see Consent). No data will be shared with third parties and on notification of withdrawal of consent any personal data will be destroyed (unless retained as part of training databases). In order to support our marketing operations and customer newsletter distribution we use third party emailing software programs in accordance with this Privacy Notice and our Data Protection Policy
People who Attend Face to Face Training
SAFEcic administers face to face training on the secure cloud. SAFEcic also uses Eventbrite for the open house courses and annual conference. SAFEcic retains delegate lists of names and associated organisation. Delegates may request inclusion on SAFEcic's newsletter database and give their email address; and can also opt out at any time. SAFEcic also keeps collated delegates' evaluation sheets on a database . All training records are kept for forty years due to the possibility of queries about an individual's training should a safeguarding issue arise regarding that delegate. Any personal details given to SAFEcic solely for the purpose of training will be held securely, will not be used for marketing purposes and will not be shared with any third party (unless required by law).
People who take SAFEcic Online Training
SAFEcic administers online training on the secure cloud. When a user is registered, the minimum data held by our online training system comprises the name of the user and a SAFEcic specific username and password plus the courses the user has been enrolled on. The users email address is optional and would only be used for the purpose of sending log in details and instructions. As users work their way through courses, those training records are retained by SAFEcic. Any personal details given to SAFEcic solely for the purpose of training will be held securely, will not be used for marketing purposes and will not be shared with any third party (unless required by law).
People who visit our office
We keep a signing in and out book by the front door which is completed by all visitors and staff for health and safety reasons. This book also evidences staff attendance at the office. These records are kept for 2 years.
The office is also covered externally by CCTV, with images being stored on the camera software for 14 days when the data is then recorded over.
Occasionally clients will contact SAFEcic for ‘informal’ advice relating to a potential safeguarding concern. This will normally be done without disclosing details of individuals concerned. A written record will be retained of the basic advice provided, without reference to individuals involved, for a period of 10 years unless further retention is required by statutory authorities.
Data will not be shared unless there is an overriding requirement (public safety) which necessitates disclosure to the statutory authorities.
People who make a complaint to us
When we receive a complaint from a person we will record details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. We will only use the personal information we collect to process the complaint and to check on the level of service we provide.
We usually have to disclose the complainant’s identity to the member of staff the complaint is about. This is inevitable where, for example, it relates to the service provided by one of our staff or trainers. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
We may anonymously use information obtained as part of the complaint process to improve performance where appropriate. Complaints about use, storage and retention of data by SAFEcic can also be made to the Information Commissioners Office
People who work with us
Job applicants, current and former SAFEcic employees, workers and contractors
SAFEcic is the data controller for the information applicants provide during the process unless otherwise stated. If applicants have any queries about the process or how we handle their information they can contact us contact us at firstname.lastname@example.org.
What will we do with the information applicants provide to us?
All of the information applicants provide during the process will only be used for the purpose of progressing their application, or to fulfill legal or regulatory requirements if necessary.
We will not share any of the information applicants provide during the recruitment process with any third parties for marketing purposes or store any of their information outside of the European Economic Area. The information they provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.
We will use the contact details applicants provide to us to contact them to progress their application. We will use the other information applicants provide to assess suitability for the role applied for.
What information do we ask for, and why?
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. The information we ask for is used to assess suitability for employment. Applicants don’t have to provide what we ask for but it might affect their application if they do not.
If they use online application system, this may be collected by a (recruitment) data processor on our behalf (please see below).
We ask for personal details including name and contact details. We will also ask about previous experience, education, referees and for answers to questions relevant to the role applied for. The recruitment process will have access to all of this information.
Applicants will also be asked to provide equal opportunities information. This is not mandatory information – if not provided , it will not affect the application. This information will not be made available to any staff outside of our management team, including external hiring managers, in a way which can identify an applicant. Any information provided, will be used only to produce and monitor equal opportunities statistics.
The relevant senior staff involved will shortlist applications for interview. They will not be provided with the name, date of birth or contact details or equal opportunities information if provided .
We might ask applicants to participate in assessment days; complete tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by the applicant and by us. For example, applicants might complete a written test or we might take interview notes. This information is held by SAFEcic.
If unsuccessful following assessment for the position applied for, we may ask if applicants would like their details to be retained in our talent pool for a period of six months. If yes, we would proactively contact applicants should any further suitable vacancies arise.
If we make a conditional offer of employment we will ask applicants for information so that we can carry out pre-employment checks. Applicants must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.
Applicants will therefore be required to provide:
- Proof of identity – applicants will be asked to attend our office with original documents, we will take copies.
- Proof of qualifications – applicants will be asked to attend our office with original documents, we will take copies.
- Applicants may be asked to complete a criminal records declaration to declare any unspent convictions.
- For some positions we may undertake Disclosure and Barring Service checks.
- We will contact applicants ' referees, using the details provided in their application, directly to obtain references
If we make a final offer, applicants will be asked for the following:
- Bank details – to process salaries or invoiced payments
- Emergency contact details – so we know who to contact in case of an emergency at work
Post start date
Our Code of Conduct requires all staff to declare if they have any potential conflicts of interest. If staff complete a declaration, the information will be held on their personnel file.
Once a final offer from us is accepted, applicants' personnel records will be held securely, in written format, by SAFEcic in an internally used HR records system.
SAFEcic will only share staff and worker personal information with third parties for the purposes of their training and professional development. Any shared personal information will be kept to a minimum, and any third parties will comply with GDPR and Data Protection Act 2018.
If employed by or working for SAFEcic, relevant details about staff will be provided to our Finance Department who provide payroll services to for SAFEcic. This will include name, bank details, address, date of birth, National Insurance Number and salary. This information will be provided solely to facilitate payment and compliance with statutory requirements by HMRC.
For employed staff who may accrue pension benefits information will be shared with Royal London to enable relevant pension provision. This will include details of name, national insurance number and payment details.
For some vacancies, we sometimes advertise through external recruitment agencies who will collect the application information and forward it to us. Information collected by them will be retained for 12 months following the end of our agreement.
How long is the information retained for?
If successful, the information applicants provide during the application process will be retained by us as part of their employee file for the duration of employment plus 6 years following the end of employment. This includes their criminal records declaration, fitness to work, records of any security checks and references.
Records in relation to any safeguarding concern will be retained until retirement age is reached or for 10 years, whichever is longer.
If unsuccessful at any stage of the process, the information applicants provided until that point will be retained for 6 months from the closure of the campaign.
If unsuccessful at any stage of the process, the information provided by applicants, for example interview notes, is retained by us for 6 months following the closure of the campaign.
Equal opportunities information is retained for 6 months following the closure of the campaign whether applicants are successful or not.
How we make decisions about recruitment?
Final recruitment decisions are made by senior managers, all of the information gathered during the application process is taken into account.
Applicants are able to ask about decisions made about their application by speaking to your contact within our management team or by emailing email@example.com.
Under the Data Protection Act 2018, applicants, staff, workers and contractors all have rights as individuals which they can exercise in relation to the information we hold about them in line with the Information Commissioners Office guidance
Complaints or queries
SAFEcic tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of SAFEcic’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
If anyone wants to make a complaint about the way we have processed their personal information please see contact details below.
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 08 May 2018.
How to contact us: E: firstname.lastname@example.org
T: 01379 871091
SAFEcic, Unit 10, Progress Way, Mid Suffolk Business Park, Eye, Suffolk. IP23 7HU