Context and overview
1. Key details
Policy prepared by: Jennifer Blacow
Approved by board / management on: 10 May 2018
Policy became operational on: 10 May 2018
·Next review date: 10 November 2018
2. Why this policy exists
Aspiedent is committed to protecting your privacy when you use our Services. Our Data Protection Policy explains how Aspiedent collects, uses and protects the data that we hold.
3. Your Personal data - what is it?
(a) Personal data means any information relating to an identified or identifiable living individual, and includes, name, residential address, telephone numbers, email addresses and other identifying information.
(b) Special category data is data which needs greater protection due to its sensitivity. This is likely to include anything that can reveal one or more of the following:
- racial or ethnic origin;
- political opinions, religious or philosophical beliefs or trade union membership;
- genetic / biometric data;
- physical or mental health; or
- sex life and sexual orientation.
(c) Aspiedent is an Autism and Aspergers training and consultancy company, which means that in some circumstances, Aspiedent collects, processes and stores special category data relating to its customers, including information relating to mental and physical health and trade union membership.
(d) This data protection policy applies to any personal data (including special category data) we collect, use or create about you. This includes information:
- which we collect from visitors to our website;
- which is given to us by phone, social media, email, in letters, in forms and other correspondence; and
- which is given in person.
(a) “Aspiedent”, “we”, “us” or “our” means Aspiedent CIC.
(b) “Aspiedent data storage” includes physical, electronic or cloud-based storage of data.
(c) “Personal data” has the meaning as defined in Paragraph 3 of this Policy.
(d) “Services” means services provided by Aspiedent to its customers, including Autism Training and Consultancy to employers and adults with autism spectrum conditions (ASCs) and employment training and employment support to people with ASCs.
(e) “Special category data” has the meaning as defined in Paragraph 3 of this Policy.
Who are we? Contact details of the Data Controller and the Data Protection Officer
5. Data controller
Aspiedent is a data controller. This means we decide how your personal data is processed and for what purposes.
Aspiedent’s contact details are as follows:
Office 19, Bradford Chamber Business Park
New Lane, Laisterdyke
Bradford, BD4 8BX
Tel: 07717 404846
6. Contact details of Data Protection Officer
c/o Aspiedent CIC
Office 19, Bradford Chamber Business Park
New Lane, Laisterdyke
Bradford, BD4 8BX
How do we process your personal data?
7. Compliance with all laws
(a) We comply with all laws concerning the protection of your personal data.
(b) As part of our compliance measures we:
- keep personal data up to date;
- store and destroy it securely;
- do not collect or retain excessive amounts of data;
- protect personal data from loss, misuse, authorised access and disclosure; and
- ensure that appropriate technical measures are in place to protect personal data.
(c) We have security measures in place to reduce the risk of theft, loss, destruction, misuse or inappropriate disclosure of personal data. Examples of our security include:
- protecting data by strong passwords;
- keeping the paper or files in a locked drawer, filing cabinet or a locked office when it is not required and unattended;
- ensuring that our staff do not transfer data via any unauthorised channel;
- controlling access to systems and networks, which allows us to stop people who are not allowed to view your personal information from getting access to it; and
- training for our staff so as to allow us to make them aware of how to handle information and how and when to report when something goes wrong.
We will not process any data relating to a child (under 13) without the express parental / guardian consent of the child concerned. We will make reasonable efforts to verify age and parental responsibility.
9. Data storage and transfer of data outside the EEA
If you need a copy of the safeguards on which we rely on when we store our data on data storage systems which are outside of the EU, please contact our Data Protection Officer whose details are set out in Paragraph 6 of this Policy.
What personal data may we collect about you and where does it come from?
10. Types of personal data we collect
(a) Aspiedent collects personally identifiable information whenever you agree to access, and access any of our Services, request information, make a compliant or participate in activities provided by us. This information may include your name, email address, home or work address, telephone or mobile number, date of birth or bank account details.
(b) We may also, in the course of providing our Services or activities, collect your employment related data, including your employment status, qualifications, aspirations or goals, and, with your written and informed consent, certain special category data, such as your trade union membership data.
(c) We may also ask customers for their written and informed consent to provide us with special category data, including ASCs-related information or other health data necessary for us to tailor our Services, including training and employment support we provide to you.
(d) There is also information about your computer hardware and software that is collected by Aspiedent. This information can include unique identifiers such as your IP (Internet Provider) address, which is a number that can uniquely identify a specific computer or other network device on the internet, browser type, domain names, access times and referring website addresses. We use this information to maintain quality of the Services and our website (www.aspiedent.com), and to provide general statistics regarding use of our website.
(e) Although in most cases the information comes from you, personal data may also come from other sources set out in Paragraph 12 of this Policy below.
11. Types of data subjects
(a) We process personal information about the following categories of people:
- customers (including ASC customers seeking our support and employees of corporate customers looking to engage an ASC customer);
- potential customers;
- persons acting on behalf of a customer or potential customer and other related persons, including his parent or carer;
- staff and directors;
- people contracted to provide a service;
- representatives of referral organisations, employment support agencies and other charities and organisations, such as Leeds Autism AIM; and
- other persons coming into contact with us.
12. Sources of data other than you
(a) Sometimes other people may provide us with your personal data, including through:
- submitting information or communicating with us on behalf of someone else, including such person’s parent, carer or therapist;
- Leeds Autism AIM, which forms part of Advonet, disclosing your personal data, including your ASCs-related or other mental health data and trade union membership data, to us when we collaborate to provide you with certain services; and
- other referral organisations.
Purposes and legal bases for the processing
13 Legal basis for processing you personal data
(a) We will only process your personal data in accordance with the law. In most circumstances, we will rely on the following legal bases as the lawful justification to process your data:
- to allow us to perform our contract with you or take steps at your request prior to entering into a contract with you where the processing is necessary for such purposes;
- to pursue legitimate interests of our own or those of third parties where the processing is necessary, provided your interests and fundamental rights do not override those interests;
- to comply with a legal obligation;
- to protect the vital interests of yourself or another person (and, in the event of processing your special category data, only where you are also incapable of giving consent);
- to perform or exercise obligations or rights which are imposed or conferred by law on us or our employee in connection with employment, social security or social protection where the processing is necessary; and
- to conduct scientific research.
(b) If we process your personal data on a basis not listed above in Paragraph 13(a) of this Policy, we will seek your explicit consent for such processing.
(c) If we rely on your consent to process your personal data, we will ask you to read and agree to the terms of a separate consent form.
(d) You have the right to withdraw that consent at any time. If you wish to withdraw your consent, please contact Jen Blacow at Aspiedent, Office 19, Bradford Chamber Business Park, New Lane, Laisterdyke, Bradford, BD4 8BX or firstname.lastname@example.org.
(e) We have indicated in Paragraph 14 of this Policy below the legal basis or bases on which we are processing or will process your personal data in each of the situations listed in Paragraph 14 of this Policy.
14. Purposes for the processing
(a) We process personal data in a range of situations which include:
- providing our Services (as defined in Paragraph 4 of this Policy);
- maintaining our own accounts and records in order for us to run the business of Aspiedent;
- supporting and managing our employees in order for us to run the business of Aspiedent (and, in case of processing special category data, performing or exercising obligations or rights which are imposed or conferred by law on us or our employees in connection with employment, social security or social protection);
- marketing our Services;
- carry out Autism and Asperger awareness campaigns; and
- undertaking research related to ASCs and neurodiversity.
(b) If you are unable to provide information we seek from you, we may not be able to perform the contract we have entered into with you (such as providing you our Services), or we may be prevented from complying with our legal obligations.
(c) We will only use your personal information for the purpose for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Sharing your personal data
15. Who do we share your personal data with?
(a) We may share your information with partners, agents or service providers to allow them to perform services on our behalf or to help us understand our customers more effectively. These partners will only act under our instruction and will not use your information for their own purposes. Where we have these arrangements there is always an agreement in place to make sure that the organisation complies with data protection law.
(b) In most cases, we will not disclose your personal data without your consent, but there are circumstances when your consent is not required, such as when we are required to do so by law or if we have other legal basis (as set out in Paragraph 13 of this Policy).
(c) Some examples of the organisations with which we may share your data:
- providers of Aspiedent data storage services and email service providers, such as Sync, Zoho and HubSpot;
- providers of web hosting services for Aspiedent’s website;
- Leeds Autism Aim, part of Advonet;
- your employer, if your employment has been coordinated through our Services; and
- your parent, carer or therapist or an appropriate health authority, including the National Health Service, if we consider it necessary to protect your vital interests.
16. When may we use your details to contact you?
Aspiedent may contact you in a variety of circumstances, for example:
- in relation to any Service, activity or online content you have requested or signed up for to make sure that we can deliver the services to you;
- in response to any correspondence we receive from you or any comment or complaint you make; and
- in relation to any contribution you have submitted to Aspiedent via social media
17. Contacting you for marketing purposes
Aspiedent will only send you marketing emails with your prior consent.
How long do we keep your personal data?
18. How long do we keep your personal data?
Your data will be stored for 2 years, after which if you are no longer using Aspiedent’s services, it will be destroyed.
19. Your rights
You have a number of information rights which give you more control over your personal data. These rights include:
- right of access;
- right to rectification (to correct anything that is wrong);
- right to restrict processing;
- right to object;
- data portability (being able to transfer your data from one organisation to another); and
- right to erasure (right to be forgotten).
20. Right to access
You can request to see the information we hold about you by sending an email to our Data Protection Officer, whose contact details are listed in Paragraph 6 of this Policy.
21. Right to rectification
(a) If your details change, or you believe we are processing inaccurate information about you, you can ask us to change it. Factual inaccuracies will be amended promptly but there may be instances where we are unable to change a record, such as where there is a difference of opinion on a comment made during a meeting. However, in such cases a note will be placed on record to make sure your views are recorded. If you wish to amend inaccurate information, please contact tour Data Protection Officer, whose contact details are set out in Paragraph 6 of this Policy.
22. Right to restrict processing
You have the right to restrict the processing of your personal data if you are in dispute with us over its accuracy while it is being verified. You can also restrict our use of your personal information if the processing is unlawful. If we no longer need your personal information for the purpose it was held, you can ask us to keep records if they are required to establish, exercise or defend legal claims. If you wish to restrict the processing of your information, please contact our Data Protection Officer, whose contact details are set out in Paragraph 6 of this Policy.
23. Right to object
(a) You have the right to object to the following kinds of processing:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
Where we process data using one of the abovementioned methods, we will give you the opportunity to object to any further communications when we first contact you.
(b) You do not have the right to object to processing based on your consent, though you may withdraw your consent at any time.
24. Right to data portability
(a) You have the right to receive personal information, which you have provided to us by electronic means, in a reusable format. This means that where you have submitted information to us online or through an automated process, you can have a copy of that information returned to you in an electronic format to enable you to transfer the information to another organisation.
(b) Please note that this only applies where the processing is based on consent or is necessary for the performance of a contract with you, and in either case where we processes the data by automated means.
25. Right to erasure (right to be forgotten)
(a) If you withdraw consent or there is no lawful basis to process your personal information, you can request that any of your personal data that we hold is erased. If there is no lawful basis for us to process your personal information, we will take reasonable steps to delete it as soon as possible.
26. Right to lodge a complaint
(a) We try to meet the highest standards when collecting and using personal data. For this reason, we take any complaints we receive about this very seriously. We encourage you to bring it to our attention if you think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
(b) If you have any concerns, questions or comments, please contact our Data Protection Officer, whose details are set out in Paragraph 6 of this Policy.
(c) If having exhausted the complaint process you are not content that your request or review has been dealt with correctly, you can appeal to the Information Commissioner’s Office to investigate the matter further by writing to:
Information Commissioner’s Office
How you use this website
27. How you use this website – Google Analytics
(a) We may use Google Analytics to collect information about how people use our website. We do this to make sure it’s meeting people’s needs and to understand how we can make the website work better.
(b) Google Analytics stores information about what pages on this site you visit, how long you are on the site, how you got here and what you click on while you are here.
(c) We do not collect or store any other personal information (e.g. your name or address) so this data cannot be used to identify who you are.
(d) We may also collect data on the number of times a word is searched and the number of failed searches. We use this information to improve access to the site and identify gaps in the content and see if it is something we should add to the site.
(e) Unless the law allows us to, we do not share any of the data we collect about you with others, or use this data to identify individuals.
Data Protection Policy
28. Changes to our Data Protection Policy
(a) We regularly review our Data Protection Policy and encourage you to check it from time to time. This notice was last updated in May 2018.
29. Contacting us about this Data Protection Policy
(a) If you have any questions or comments about this Data Protection Policy, please contact our Data Protection Officer, whose contact details are set out in Paragraph 6 of this Policy.