Privacy Policy

Individuals who we hold personal data about, known as ‘Data Subjects’, have a legal right and an
expectation to be informed about how we process their personal information, for what purpose, for how long
and what their rights are in connection with this processing. Data Controllers, such as Outcomes First 1
Limited and its subsidiaries, which are referred to by its trading name Outcomes First Group in this
document, process personal data, provide Data Subjects with a Privacy Notice to explain how we collect,
store and process their personal data in accordance with data protection laws. It is important that you read
this notice carefully.

Please note that for data protection purposes, ‘Processing’ means collection, recording, organising,
structuring or storing, adapting or altering, retrieving, consulting or use, disclosing by transmission,
disseminating or otherwise making available, aligning or combining, or restricting, erasing or destroying
personal data.

This Privacy Notice covers, but is not limited to our people we support and educate,
commissioners, stakeholders and staff, including applicants.

The organisation’s Data Protection Policy supplements this privacy notice and outlines our general policy on
data protection matters.

WHY YOUR PERSONAL DATA IS IMPORTANT TO US
Your personal data is important to us as it enables us to realise our mission of improving the lives of young
people, adults, their families and communities. It enables us recruit staff and carers, comply with our legal
obligations, and to ensure that the young people and adults who are supported by our schools or residential
homes are well matched, and that they and our staff are closely supported to create a safe, nurturing
space in which they can realise their full potential. Your personal data provides the insight to make that
possible.

YOUR PERSONAL INFORMATION – WHAT WE HOLD AND HOW WE MANAGE DATA
We obtain personal data from numerous sources, which vary according to categories of Data Subjects and
types of personal information ,including special categories of personal data and criminal convictions etc.. We
will treat any personal data by which you can be identified in accordance with the provisions of the United
Kingdom General Data Protection Regulation and the Data Protection Act 2018.

The following sections provide further detail on how we collect and manage data on staff, those we
support and their families.

Staff, including Agency Staff and Applicants
People We Support and their Families

We also collect, use and share aggregated data such as statistical or demographic data for any purpose.
Aggregated data may be derived from your personal data, but is not deemed personal data in law as this data
does not directly or indirectly reveal your identity.

OUR LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA
We only collect and use personal information about you when the Law permits it, for example (but not limited to):
To fulfil a contract we have entered into with you or to take steps at your request before entering into a
contract

To comply with a legal or regulatory obligation Page 2 of 4
Document Type Privacy Notice Version Number 2.0
Policy Owner Data Protection Officer Last Review Date June 23
Date First Issued February 2021 Next Review Date Every two years
Where we, or a third party, have a legitimate interest in processing your information
To carry out a task or exercise a duty in the public interest

A legitimate interest is when we have a business or commercial reason to use your information, so long as this
is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate
interests, to balance our interests against your own.

Less commonly, we may also use personal information about you where:

You have given us consent to use it in a certain way
We need to protect your vital interests (or someone else’s interests)

Some of the reasons listed above for collecting and using personal information about you overlap and there
may be several grounds that justify our use of your data.

Consent: While the majority of information we collect from you is mandatory, there is some information that
you can choose whether or not to provide to us. Whenever we seek to collect information from you (or your
agency), we make it clear whether you must provide this information (and if so, what the possible
consequences are of not complying), or whether you have a choice. Where you have provided us with consent
to use your data, you may withdraw this consent at any time. We will make this clear when requesting your
consent and we will explain how you can withdraw consent easily if you wish to do so.

STORING, ACCESSING AND SHARING YOUR PERSONAL INFORMATION
Your personal data will be accessed on a ‘need to know’ basis. Any internal use of your data will be limited to
those who are involved with working with you or need to have access to your information to work on your
behalf, your matter etc. Any inappropriate use or access of personal data by our staff is regarded as a strict
matter and may result in a disciplinary investigation being commenced.

Any information sharing with other stakeholders will be conducted with your privacy at the forefront of our
considerations, with the Outcomes First Group ensuring that any relevant sharing is in accordance with the
United Kingdom General Data Protection Regulation and the Data Protection Act 2018 or the common law
duty of confidence where applicable. Our staff receive data protection training and we have data protection
policies and procedures in place for all staff to follow.

Personal data held by us electronically is stored on secure computer systems and we control who has access to
them. Where we use external companies to collect or process personal data on our behalf, we undertake checks
on these companies before we work with them, and establish an agreement setting out our expectations and
requirements, especially regarding how they manage the personal data they process on our behalf. We endeavour
to ensure our suppliers do not transfer your personal data outside of regions that do not have adequate data
protection law by putting permissible legal mechanisms in place.

Transferring Data Internationally
Under data protection law, we will only transfer personal data to a country or territory outside the United
Kingdom, where:

the UK government has decided the particular country or international organisation ensures an
adequate level of protection of personal data (known as an ‘adequacy decision’);
there are appropriate safeguards in place, together with enforceable rights and effective legal
remedies for data subjects; or
a specific exception applies under data protection law.

YOUR DATA PROTECTION RIGHTS
How to access personal information we hold about you
Individuals have a right to make a ‘subject access request’ to gain access to personal information that the
company or service holds about them. A request can be made in any format, verbally or in writing, to your
local service or to the Data Protection Team at data.protection@ofgl.co.uk.

If you are considering a request, please make it is as clear, concise and specific as possible as this will allow
us to locate the information you are seeking as quickly as we can. Please note that the right of access is not
absolute and there may be occasions whereby your data may not be supplied as it is covered by an exemption.
You may also have the right for your personal information to be transmitted electronically to another
organisation in certain circumstances.

Your other rights regarding your data
Subject to certain exceptions, you have the right to:

Object to the use of your personal data if it would cause, or is causing, damage or distress
Prevent your data being used to send direct marketing
Object to the use of your personal data for decisions being taken by automated means (by a
computer or machine, rather than by a person)
Receive your personal data in a structured, commonly used and machine-readable format
In certain circumstances, have inaccurate personal data corrected, deleted or destroyed, or restrict
processing
Restrict the processing of your personal information for certain purposes
Claim compensation for damages caused by a breach of our legal and compliance obligations in respect
of your data

To exercise any of these rights, please contact your local service or the Data Protection Team (see below,
Contact Us).
Information relating to these rights, and rights in relation to automated decision making and profiling, can be
found on the ICO’s website
Please note that where a subject access request is considered to be excessive, then we reserve the right to
charge for our costs in complying with the request based on the Information Commissioner’s guidance
prevailing at the time the request is received.

HOW TO RAISE A CONCERN
We take any complaints about our collection and use of personal information very seriously. If you think that
our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern
about our data processing, please raise this with us in the first instance.

To make a complaint, please contact your local service manager or the Data Protection Team, who will liaise
with the Data Protection Officer. If you remain dissatisfied, you can make a complaint to the Information
Commissioner’s Office:
- Website: https://ico.org.uk/concerns
- Phone: 0303 123 1113
- Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

DATA PROTECTION OFFICER AND ICO REGISTRATION
The Data Protection Officer on behalf of Outcomes First Group is Kevin McBride, who can be contacted at
data.protection@ofgl.co.uk.

The Data Protection (Charges and Information) Regulations 2018 require every organisation that processes
personal information to pay a data protection fee to the Information Commissioner’s Office (ICO), unless they
are exempt. Outcomes First Group companies are registered with the ICO for this purpose and details of our
registrations are referred to in our Article 30 Statement of Processing Activities. Current registrations can also
be checked on the ICO’s website at any time here.

CONTACT US
If you have any questions, concerns or would like more information about anything covered in this
Privacy Notice, please contact our Data Protection Team by email at data.protection@ofgl.co.uk. Page 1 of 4
Document Type Privacy Notice Version Number
Policy Owner Data Protection Team Last Review Date
Date First Issued February 2021 Next Review Date
2.0
June 23
Every two years / as required

OUTCOMES FIRST GROUP – PRIVACY NOTICE
PERSONAL DATA BELONGING TO EMPLOYEES, INCL. APPLICANTS, BANK AND AGENCY STAFF
This document is an addendum to the Outcomes First Group Privacy Notice, providing further details
on the processing of data belonging to our employees, including bank and agency staff, as well as
those going through the employment application processs.

The personal data we process
Personal data that we may collect, use, store and share (when appropriate) about you includes, but is
not restricted to:
• *Contact details
• *Date of birth, marital status and gender
• Next of kin and emergency contact numbers
• Salary, annual leave, pension and benefits information
• Information from your Disclosure and Barring Service (DBS) or Disclosure Scotland checks
including any information regarding criminal convictions
• Bank account details, payroll records, National Insurance Number and tax status information
• *Recruitment information, including copies of ID, right to work documentation, references and
other information included in a CV or cover letter or as part of the application process
• *Qualifications and employment records, including work history, job titles, working hours,
training records and professional memberships
• Performance information
• Outcomes of any disciplinary and/or grievance procedures
• Absence data
• Logbooks (and any electronic versions) at any of our sites when signing in
• Copy of driving licence
• Photographs
• CCTV footage and key fob monitoring
• Data about your use of the service’s information and communications system
• Any data transferred to us under TUPE Regulations.
• Vehicle telematics
• Employment perquisites and benefits
• Arranging travel bookings and accommodation
We may also collect, store and use information about you that falls into ‘special categories’ of more
sensitive personal data. This includes information about (where applicable):
- Race, ethnicity, religious beliefs, sexual orientation and political opinions
-Trade union membership
- Physical and mental health, including any medical conditions, and sickness records
- Criminal convictions and DBS referrals

Applicants (*)
We obtain and hold applicant data as part of the recruitment process (see *items listed above), as
required by Safer Recruitment best practice and in accordance with this Privacy Notice. Personal data
belonging to unsuccessful applicants will be held in accordance with the period set out in our personal
data retention schedule. For successful candidates, the on boarding process will ensure the remaining
records are completed as per our employer obligations and will be processed in accordance with the
minimum period set out in our personal data retention schedule.

Agency Staff
Agency staff are employed by their agency company, who are also Data Controllers in their own right
concerning the handling of personal data belonging to staff connected with their agency. As a joint
Data Controller, however, Outcomes First Group will require certain documentation to be shared by
the agency or agency staff member for safeguarding reasons and to ensure that we have the data and
documents required to be satisfied of the various statutory regulations to which we are subject.

Why we use this data
The purpose of processing employee data is to help us run our services and comply with our legal
obligations in doing so, which includes to:
• Enable staff and contractors to be paid
• Facilitate safe recruitment, as part of our safeguarding obligations towards the people we
support
• Support effective performance management
• Inform our recruitment and retention policies
• Allow better financial modelling and planning
• Enable equalities monitoring
• Improve the management of workforce data across the sector
• Support the work of the regulatory bodies and professional associations.
• Process insurance claims
• Comply with our legal obligations
• To safeguard children and vulnerable adults
• To bring or defend legal proceedings
• To support law enforcement when required to do so
• To obtain or permit others to obtain legal advice
• To assist with travel bookings and accommodations

For certain roles, we have a legal requirement to undertake Disclosure and Barring Service checks
(DBS, England and Wales) or a Disclosure Scotland check. Where we do so, we only do so in accordance
with our legal requirements, as updated from time to time. We comply fully with the DBS Code of
Practice regarding the correct handling, use, storage, retention and disposal of certificates and
certificate information. In accordance with insurance requirements, DBS certificate numbers will be
retained for 50 years.

Our lawful basis for using this data
We only collect and use personal information about you when the Law permits it.
Most commonly, we use it:
- To fulfil a contract we have entered into with you or to take steps at your request before
entering into a contract
- To comply with legal or regulatory obligations
- Where we, or a third party have a legitimate interest in processing your information
- To carry out a task in the public interest
A legitimate interest is when we have a business or commercial reason to use your information, so
long as this is not overridden by your own rights and interests. We will carry out an assessment when
relying on legitimate interests, to balance our interests against your own.
Less commonly, we may also use personal information about you where:
- You have given us consent to use it in a certain way
- We need to protect your vital interests (or someone else’s interests)

Where you have provided us with consent to use your data, you may withdraw this consent at any
time. We will make this clear when requesting your consent and we will explain how you can withdraw
consent easily if you wish to do so.

Some of the reasons listed above for collecting and using personal information about you overlap and
there may be several grounds that justify the company’s use of your data.

Collecting this information
While the majority of information we collect from you is mandatory, there is some information that
you can choose whether or not to provide to us.
Whenever we seek to collect information from you (or your agency), we make it clear whether you
must provide this information (and if so, what the possible consequences are of not complying), or
whether you have a choice.

How we store this data
Personal data is stored in line with our Data Retention & Disposal Policy and Schedule, which is
available to all staff as part of the policy library.

We create and maintain an employment file for each employee on Cascade (online, secured staff
portal) or Reach (recruitment system for applicants). The information contained on these systems is
secure and is only used for purposes directly relevant to recruitment and employment. Services have
separate arrangements for securely holding selected data on agency staff as the majority of personal
information remains stored by the agency as the employer.

Once your employment/contract with us has ended (or after 6-12 months for unsuccessful applicants),
we will retain these records or delete information in accordance with our Data Retention & Disposal
Policy and Schedule, which set out how long we keep information and refers to the guidance outlined
by the relevant regulatory bodies and professional associations.

Data sharing
We do not share information about you with any third party without your consent or liaison with your
agency (if applicable), unless the Law permits or requires us to do so. Where it is legally required, or
necessary and it complies with data protection law, we may share personal information about staff with:
• Local authorities – to meet our legal obligations to share certain information with it, such as
safeguarding concerns
• Regulators
• Your family or representatives
• Assessors and Examining Bodies
• Suppliers and service providers – to enable them to provide the service we have contracted them
for, such as payroll
• Financial organisations
• Central and local government, including Disclosure & Barring Service (DBS)
• Our auditors
• Survey and research organisations
• Trade unions and associations
• Health authorities
• Security organisations
• Health and social welfare organisations
• Professional advisors and consultants
• Our own and third party solicitors and legal advisors
• Our insurance companies
• Charities and voluntary organisations
• Police forces, courts, tribunals
• Professional bodies
• Employment and recruitment agencies
• New employer in accordance with Transfer of Undertakings (Protection of Employment)
Regulations 2006 (SI 2006/246), only where applicable
• Travel companies/agencies
Employment references
The company does not disclose any employment references received, under which it is under a duty
of confidence towards the author, unless:
- it has the author’s consent;
- it is in the public interest to do so;
- there is a legal obligation or Court Order, and then only to the extent of such legal obligation or
Order.

If you require a copy of a reference that we have received, you should make a request directly to the
referee in the first instance or, failing this, provide the company with the referee’s written consent to
disclose the reference to you, seek a Court Order or otherwise cite the express legal authority upon
which we are obliged to breach our duty of confidence by disclosing the reference.

OUTCOMES FIRST GROUP – PRIVACY NOTICE
PERSONAL DATA BELONGING TO PEOPLE WE SUPPORT, INCLUDING THOSE CURRENTLY IN THE
REFERRAL AND ASSESSMENT PROCESS AND THEIR FAMILIES
This document is an addendum to the Outcomes First Group Privacy Notice, providing further details
on the processing of data belonging to the people we support and their families/significant others.
We understand that the people we support communicate information in many different ways that has
meaning to them. To this end, where necessary staff will support individuals to understand the
information contained in this policy in appropriate ways to ensure that, as far as possible, each person
who receives care or education from the group, understands the principles contained within this
privacy policy, in a way that has meaning to them.

The personal data we process
We hold some personal information about you and, if applicable, your family members and significant
others, to make sure we can help you learn and to look after you. For the same reasons, we get
information about you from some other places too – like your family, other care providers, other
schools, the local council, the NHS and the government.
This information includes, but is not limited to:
- Your contact details
- Information on your family/significant others
- Your home/school records (where applicable)
- Your characteristics, like your ethnic background or any special educational needs
- Any medical conditions you have
- Details of any behaviour issues or exclusions (where applicable)
- Photographs
- CCTV images (if used on our premises)

Why we process this data
We use this data to help support, care for you and educate you (depending up which services you
receive from us), including, but not limited to:
- Get in touch with you, and maybe your parents/carers, (as appropriate) when we need to
- Look after your wellbeing
- Check how you are doing at your home, school or college and work out whether you or those
supporting you need any extra help
- Track how well the service as a whole is performing
- To undertake assessments and reviews
- To comply with our legal obligations

Our legal basis for using this data
We will only process your personal information when the Law allows us or requires us to do so. Most
often, we will use your information where:
- We need to comply with the Law which includes the information we must process in accordance
with legal obligations we must comply with when providing our services
- We need to use it to carry out a task in the public interest (in order to safeguard you for
example)
Sometimes, we may also use your personal information where:
- You, or your parents/carers (as appropriate) have given us permission to use it in a certain way
- We need to protect your interests (or someone else’s interest)
- Where we, or a third party have a legitimate interest in processing your information
- To carry out a task in the public interest
- We have a legal obligation

A legitimate interest is when we have a business or commercial reason to use your information, so
long as this is not overridden by your own rights and interests. We will carry out an assessment when
relying on legitimate interests, to balance our interests against your own.
Collecting this information

While in most cases you, or your parents/carers, or a local authority (as appropriate) must provide the
personal information we nee, there are some occasions when you can choose whether to provide the
data. We will always tell you if it is optional. If you must provide the data, we will explain what might
happen if you refuse.

Where we have requested permission to use your data, you or your parents/carers, (as appropriate)
may withdraw this at any time. We will make this clear when we ask for permission, and explain how
to go about withdrawing consent.

How we store this data
We will keep personal information about you while you are at our service. We may also keep it after
you have left, where we are required to by Law. We have a Data Retention & Disposal Policy, which
sets out how long we must keep information about you and you can request a copy of this policy from
the staff who support you.

Data sharing
We do not share personal information about you with anyone else without permission from you, or your
parents/carers if necessary, unless the Law allows us to do so, for example with, but not limited to:
- Local Authorities – to meet our legal duties to share certain information with it, such as concerns
about your care, safety and school exclusions
- The Regulator (a government department such as Ofsted, Estyn, The Care Quality Commission,
Care Inspectorate Scotland or Care Inspectorate Wales)
- Your family and representatives
- Educators and examining bodies
- Suppliers and service providers – so that they can provide the services for which we have
contracted them
- Financial organisations
- Central and local government
- Our auditors
- Survey and research organisations
- Health authorities
- Security organisations
- Health and social welfare organisations
- Professional advisors and consultants
- Our own and third party solicitors and legal advisors
- Our insurance companies
- Charities and voluntary organisations
- Police forces, courts, tribunals
- Professional bodies

Youth Support Services
Once you reach the age of 13, we are legally required to pass on certain information about you to the
local authority as it has legal responsibilities regarding the education or training of 13-19 year-olds.
This information enables it to provide youth support services, post-16 education and training services,
and careers advisers. Your parents/carers, or you if you are aged 16 or over, can request that we only
pass on your name, address and date of birth to the local authority.

National Pupil Database (if you are at school)
We are required to provide information about you to the Department for Education as part of
statutory data collections such as the school census. Some of this information is then stored in the
National Pupil Database (NPD), which is owned and managed by the Department and provides
evidence on school performance to inform research. The database is held electronically so it can easily
be turned into statistics. The information is securely collected from a range of sources including
schools, local authorities and exam boards. The Department for Education may share information from
the NPD with other organisations, which promote children’s education or wellbeing in England. Such
organisations must agree to strict terms and conditions about how they will use the data. For more
information, see the Department’s webpage on how it collects and shares research data. You can also
contact the Department for Education with any further questions about the NPD.
Transitioning to a New Service

Once you have agreed to move on, we will share some of this information with your new home or
school, so that they can assess if they can meet your needs. This will be undertaken with the consent
of those who support you (e.g. parents/guardians, Social Worker, Local Education Authority).