Contents
- Our stance on personal data
- Who are we?
- What information do we collect?
- How do we process your personal data?
- What is our lawful basis for processing your personal data?
5.1 Consent
5.2 Legitimate interests
5.3 Compliance with legal obligations
5.4 Contractual necessity - Sharing your personal data
- How long will we keep your personal data?
- Further processing
- How will we secure your personal information?
- Your rights and your personal data
- Complaints
- Contacting us
- Changes to this Privacy Notice
1 Our stance on personal data
CoramBAAF takes your right to privacy seriously. We are committed to protecting your privacy and security and it is important to us that you understand how and why we collect and use information about you. This Privacy Notice, along with our Cookie Policy, explains how and why we use your personal data, to ensure you remain informed and in control of your information.
2 Who are we?
CoramBAAF (we) is an independent membership organisation for professionals, foster carers and adopters, and anyone else working with or looking after children in or from care, or adults who have been affected by adoption. Our registered name and address is:
Coram Academy Ltd, 2015
41 Brunswick Square, London, WC1N 1AZ
We are registered as a company limited by guarantee no. 9697712 (England and Wales)
We are registered on the ICO's Data Protection Register as Coram Academy Limited, Registration no. ZA441128
CoramBAAF is part of the Coram Group (Charity No. 312278). A list of the charities and organisations that make up the rest of the Coram Group can be found in the Privacy Notice for the Coram Group.
3 What information do we collect?
We collect only the personal data that we need to provide you with services, fulfil orders and keep in touch. The categories of personal information that we collect, process, store and share include:
- Personal details (name, date of birth, email address, phone number, postal address)
- Professional details (workplace, job title, subject interests)
- Financial information (payment card details)
- Contact preferences (how you want to hear from us)
- Details of purchases (bookshop and training events)
- Website activity (pages you have visited on our website)
4 How do we process your personal data?
CoramBAAF complies with its obligations under current GDPR and data protection legislation by using data only for the purposes for which it was collected; by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for the following purposes: -
- To administer membership records
- To deliver membership benefits to you (such as providing advice and information, sending newsletters and mailings, running groups)
- To recruit and manage our employees and volunteers
- To run our training and events
- To maintain our own accounts and records
- To operate the CoramBAAF website and deliver the services that you have requested
- To deliver publications which you have purchased
- To process your payments
- To keep you informed about news, events, activities and services that are relevant to you.
- To send you information about products and services that relate to your previous interests or where you have requested such information.
- To contact you about CoramBAAF surveys gathering opinions on our services or issues of professional relevance.
- To share with external suppliers where required e.g. for the processing of payments
5 What is our lawful basis for processing your personal data?
We will only process your personal data where we have a lawful basis (a legal reason allowing us to process personal data) to do so. The categories of lawful basis which apply to our processing of personal data are:
5.1 Consent
Where we have a record that shows you have given us express consent to use your personal data. This applies to the following purposes:
- Direct marketing (if requested to be added to a list)
- Sending newsletters to non-members
- Preparing conference packs
- Training, workshop and conference evaluations
- Participation in external research projects
- Recording member and user engagement with our website (please refer to our Cookie Policy for details)
5.2 Legitimate interests
Where we are able to demonstrate a legitimate interest in using your personal data which has been balanced against your own interests, rights and freedoms as the data subject. This applies to the following purposes:
- Recruiting staff, associate trainers and volunteers
- Direct marketing (if based on e.g. previous purchases)
- Sending email newsletters to members
- Managing book reviews
- Collecting survey responses to internally run CoramBAAF surveys
- Marketing books and electronic licences
- Marketing workshops and training
- Communicating with ‘readers’ of draft books
- Recording consent from book contributors
- Managing library users and circulation
- Administration of committee meetings and special interest group meetings
5.3 Compliance with legal obligations
Where we are required to process your personal data to comply with a common law or statutory obligation. This applies to the following purposes:
- Keeping financial records
5.4 Contractual necessity
Where it is necessary for us to process your information in order to fulfil our contractual obligations to you, or where you have asked us to do something prior to entering into a contract. This applies to the following purposes:
- Membership administration – signing up new members, renewing and cancelling memberships
- Collecting membership fees
- Delivering membership benefits – sending mailings and books, allowing access to member only content of the website
- Administrating groups - running practice forums and groups, managing and organising Advisory Committees
- Producing books and journal, contracts with overseas publishers
- Provision of goods – electronic licences and books, providing access to journal content
- Staff management – supervisions, appraisals, absence
- Managing inspection copy requests
- Running virtual or face-to-face training / events/ workshops / consultancy services - booking delegates onto conferences and speakers, booking onto free events for CB members, organising annual reception for agency members
- Providing our advice line service
- Conducting Adoption Search Reunion database search requests
- Consultancy work - serving on adoption or fostering panels, IRM (Independent Review Mechanism) work, chairing disruption meetings
6 Sharing your personal data
Within CoramBAAF
Your personal data will only be accessible to CoramBAAF staff who need to process it for the purposes of providing services, fulfilling orders and keeping in touch, and to the Coram Group Finance team for the purposes of processing payments.
With Third Parties
We sometimes share your personal data with trusted third parties (other organisations or companies that we work with or which provide services to us).
We apply the following policies to those organisations to keep your data safe and protect your privacy:
- We provide only the information they need to perform their specific services.
- They may only use your data for the exact purposes we specify in our contract with them.
- We work closely with them to ensure that your privacy is respected and protected at all times.
- If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
Examples of the kinds of services we use which may be provided by third parties are:
- Website
- Our membership database
- Our publications purchasing database
- Surveys we run
- Our advice line call centre
- Processing card payments
- Processing direct debit payments
- Hosting and providing online access to the journal
- Analytics for our website visitors
- Our books mailing house
- Our publications stock, sending out books to members
Outside the EEA
Sometimes we will need to share your personal data with third parties outside the European Economic Area (EEA), such as the USA.
The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway. We may transfer personal data that we collect from you to third-party data processors in countries that are outside the EEA. For example, this might be required in order to process your payment details or provide support services.
If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA. For example, our contracts with third parties stipulate the standards they must follow at all times. If you wish for more information about these contracts please contact the Data Protection Coordinator at CoramBAAF by email: dataprotection@corambaaf.org.uk
Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.
7 How long will we keep your personal data?
Whenever we collect or process your personal data, we’ll only keep it for as long as necessary for the purpose for which it was collected.
At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
Some examples of customer data retention periods:
- Your membership – while the membership is current and for 3 years after the membership expires
- Financial data: records of sales e.g. invoices and receipts – for 6 years plus the current financial year
- Making an enquiry to the Advice Line – for 6 years
- Attendance at our training, workshop, conferences or other events – while membership is current and for 3 years after the membership expires
- Purchasing publications, licences – for 2 years after the purchase/lifetime of the licence (apart from the financial data which is kept for 6 years plus the current financial year)
- You working for us as a member of staff, associate or volunteer - payroll records for 6 years, health and safety records for 3 years, basic employment details indefinitely
8 Further processing
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Whenever necessary, we will seek your prior consent to the new processing.
9 How will we secure your personal information?
We know how much data security matters to you. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it. We employ a variety of physical and technical measures to keep your data safe and to prevent unauthorised access to, or use or disclosure of your personal information.
Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means. Our staff all receive data protection training and we have a set of detailed data protection procedures that personnel are required to follow when handling personal data.
We secure access to all transactional areas of our websites using ‘https’ technology.
Access to your personal data is password-protected, and sensitive data (such as payment card information) is secured by SSL encryption.
We regularly monitor our system for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security.
Where we use external companies to collect or process personal data on our behalf we do comprehensive checks before we work with them, and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they process on our behalf. We have a robust partner monitoring framework to ensure these contractual obligations are met.
10 Your rights and your personal data
We want to ensure that you remain in control of your personal data. Part of this is making sure you understand your legal rights.
An overview of your different rights
You have the right to request:
- Access to the personal data we hold about you, free of charge in most cases.
- The correction of your personal data when incorrect, out of date or incomplete.
- The deletion of your personal data, for example, when you withdraw consent, or object and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end.
- That we stop using your personal data for direct marketing (either through specific channels, or all channels).
- That we stop any consent-based processing of your personal data after you withdraw that consent.
- Review by a CoramBAAF staff member of any decision made based solely on automatic processing of your data (i.e. where no human has yet reviewed the outcome and criteria for the decision).
You have the right to request a copy of any information about you that CoramBAAF holds at any time, and also to have that information corrected if it is inaccurate. To ask for your information, please email dataprotection@corambaaf.org.uk or write to Data Protection Coordinator, CoramBAAF, Coram Campus, 41 Brunswick Square, London, WC1N 1AX. Please note that the most reliable way to contact us during the coronavirus crisis is by email. To ask for your information to be amended, please update your online account (where applicable), or speak to your CoramBAAF contact.
If we choose not to action your request we will explain to you the reasons for our refusal.
Your right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.
Where we rely on our legitimate interest
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
Direct marketing
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.
Checking your identity
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
11 Complaints
CoramBAAF tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously and encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
You can contact them by calling 0303 123 1113 (local rate) or 01625 545745 (national rate)
Or go online to www.ico.org.uk/concerns (opens in a new window; please note we can't be responsible for the content of external websites).
Or write to them at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
12 Contacting us
Please note that the most reliable way to contact us during the coronavirus crisis is by email at: dataprotection@corambaaf.org.uk
If you have any questions or concerns about this Privacy Notice and our privacy practices, please in the first instance contact the Data Protection Coordinator at CoramBAAF by email: dataprotection@corambaaf.org.uk
For further information on how your information is used, how we maintain the security of your information, and your rights to access information we hold on you, please contact us:
- By email: dataprotection@corambaaf.org.uk
- Or write to us at: Data Protection Coordinator, CoramBAAF, Coram Community Campus, 41 Brunswick Square, London, WC1N 2AZ
13 Changes to this Privacy Notice
If we modify this Privacy Notice, we will post the revised version here, with an updated revision date. Please check back periodically, and especially before you provide any personally identifiable information.
This Privacy Notice was created in May 2018 and last updated on 14/05/2020.