Skip to main content

Privacy notice

We are Ambitious about Autism and together with Ambitious about Autism Schools Trust, we support and work with autistic children and young people. If you would like to know more about us you can find this in section 13: About us. 

Ambitious about Autism and Ambitious about Autism Schools Trust are each responsible for the personal data which we hold, but for your ease of reading, we shall refer to both of our organisations as Ambitious about Autism.  

In order for us to support you or the work we do, we need to record personal information about you. We comply with all relevant articles and obligations outlined in the UK General Data Protection Regulation (referred to as the ‘GDPR’ throughout is document) and Data Protection Act 2018. We are also responsible for ensuring suppliers and third-party processors we use are compliant with Data Protection law. 

We promise to keep your information safe and only share it with other people if it is absolutely necessary. 

This privacy notice outlines the information we process, why we need it, how long we keep it, how we keep it safe, and if we need to share it with any other parties. To help you find the information you need as quickly as possible just click on the heading which best describes you. You may also find that you fit into one or more categories, so please read all that apply to you. 

Ambitious about Autism may change this policy from time to time by updating this page. You should occasionally check this page to ensure that you are up-to-date with any changes, but we will communicate significant alterations to you directly. 

We stand with autistic children and young people, champion their rights and create opportunities and therefore need to process personal data on students and young people.  

We may also collect and use information relating to parents, guardians, other family members, carers and professionals. 

 

Information we process 

Depending on your relationship with us, we may collect the following information: 

  • Contact and communications information, including your name, age, title, gender, contact details including email and social media addresses, telephone numbers and postal address.  
  • Contact details for your next of kin, parent, guardian, carer, professional or other support worker. 
  • School records such as school enrolment number, lessons and exam history, attendance registers, and photograph. This can be part of a school record or, where relevant, the admissions process whether successful or unsuccessful. 
  • Records of assessments, your attainments and achievements, any placements and volunteering assignments, such as with local employers or our Employ Autism programme, and details of any personal challenges you may have, including if you were excluded from any schools. 
  • Medical information such as information from your doctor, details of your physical, mental, and dental health. Information regarding any allergies you may have and what medication you take and whether you have any special dietary requirements. 
  • Records to keep you safe whilst we are responsible for you which may include information from a professional responsible for your care, a local authority or court, plus accident and serious incident logs. 
  • Other sensitive information such as details of your sexual orientation, ethnicity, religion or actual alleged or criminal convictions, but only where it is appropriate, necessary, and usually you have volunteered this to us.  
  • Support information, such as free school meals or other benefits eligibility. 
  • Records of any phone calls, emails, or conversations we have had with you. 
  • Financial information, including details of any fees paid. 
  • Details of you, family members, and friends in discussion with you; this may include details concerning you or your child’s health. This information will be used as a written case study to showcase the work that we to support autistic children and young people. 
  • Photographs and videos with your permission.

 

Reasons for processing and retention schedule 

  • We need your information to manage our relationship with you, comply with our legal obligations and keep you and others safe. Some information we collect is required by law, for example school records when you attend one of our educational settings and safeguarding records. Where the law does not insist that we collect and use your personal data we shall ask you, or your parent or guardian for consent, especially so with sensitive information about you. 
  • We ask for your permission if we would like to use your photograph, case study, or filmed footage of you for the purposes of education, promotion, or advertising. 
    • Internal uses include printed materials e.g. internal newsletters, posters, presentations, banners, and branded materials. 
    • External uses include on our website, social media channels like Facebook, Instagram, Twitter, and YouTube, in funding applications or communications with donors, adverts, prospectuses, external newsletters, and annual reviews. Note that some content may be downloadable. Any organisation in receipt of your image, such as our suppliers or third parties, will be under strict instruction not to use or share images provided outside of the contractual reasons for processing them, as outlined in our Data Processor agreements. 

      These images, case studies, and videos become part of AaA’s library, accessible only to AaA staff. 
  •  We manage your training records and placements partly with your consent, but also under a legal obligation to maintain such records and keep you safe. 
  • Sometimes we need to ask other people for advice, such as a lawyer, your local authority, or a healthcare professional. We will only do this where the law permits, for example, if we are worried about your safety, or if we need advice because a legal claim has been made, or if you have given your permission.  

 

We keep your personal data for periods in line with the latest guidelines from the Information and Records Management Society Toolkit for Schools, considering the specific nature of our service delivery. Details of how long we store this information can be found in our retention schedule on request. 

We keep records of images, case studies, and videos for three years, after which we will dispose of them or request your permission again to continue using them. 

 

Sharing your personal data 

Your personal data is private and will only be accessed by those individuals within our organisation whose job it is to support you, for example teachers, teaching assistants, occupational therapists, programme staff, administrative support staff, and volunteers such as trustees. We will only share your information with external parties where it is necessary or when you have given us permission to do so.  

We may, for example, share some limited information about you with your local authority, a healthcare professional, an employer with whom you have been offered a placement, as well as our professional advisers such as a lawyer. 

If you apply for a specific role through our Employ Autism programme or express an interest in being part of a Participation opportunity through our Participation programme, we may need to share your details with selected third parties for the purpose of progressing your application or expression of interest and considering your suitability for that role or opportunity. 

 

Who we share young people’s information with 

We routinely share young people’s information with: 

  • schools that the young person attend after leaving us 
  • our local authority 
  • youth support services (young people aged 13+) 
  • the Department for Education (DfE).

 

Youth support services 

Young persons aged 13+  

Once a young person reaches the age of 13, we also pass their information to our local authority and / or provider of youth support services as they have responsibilities in relation to the education or training of 13–19-year-olds under section 507B of the Education Act 1996.  

This enables them to provide services as follows: 

  • youth support services 
  • careers advisers.

 

The information shared is limited to the young person’s name, address and date of birth. However, where a parent or guardian provides their consent, other information relevant to the provision of youth support services will be shared. This right is transferred to the young person once they reach the age 16. 

Data is securely transferred to the youth support service via the School Census and is stored in line with the schools Data Retention and Archiving policy.  

 

Young persons aged 16+  

We will also share certain information about young people aged 16+ with our local authority and/or provider of youth support services as they have responsibilities in relation to the education or training of 13–19-year-olds under section 507B of the Education Act 1996. 

This enables them to provide services as follows:  

  • post-16 education and training providers 
  • youth support services 
  • careers advisers.

 

Data is securely transferred to the youth support service via the School Census and is stored in line with the schools Data Retention and Archiving policy.  

For more information about services for young people, please visit the local authority website.  

 

Opting out 

If you wish to opt out of the above please refer to the withdrawing consent policy.  

 

Department for Education (DfE) 

The Department for Education (DfE) collects personal data from educational settings and local authorities via various statutory data collections. We are required to share information about our young people with the Department for Education (DfE) either directly or via our local authority for the purpose of those data collections, under: 

  • School census for free schools forming part of AaAST: regulation 5 of The Education (Information about individual pupils) (England) Regulations 2013. 
  • Learning Records Service: Link to privacy notice LRS: privacy notice.

See the types of data collection from the DfE. 

 

Data security 

Your personal information will be retained within our control and within the UK. We may use some third-party software or platforms to help manage your personal information, but we will perform appropriate due diligence on all software and suppliers before we use them.  

We shall make sure that your information remains safe and secure using physical measures such as locked cabinets, firewalls, anti-virus software. Access to your information is well controlled and our staff are trained in information security.  

For our website and contact forms to operate smoothly, some limited personal information must be captured about you. Any personal information you provide to the AaA website will only be made available to relevant employees at AaA.

Our website uses cookies, which are text files which are downloaded onto your device. Some of these cookies are essential for our site to work. Others are optional (or non-essential), but very helpful for us to understand how our website is being used, or to help our website function properly considering the device you are using or service you are accessing.

Before we download non-essential cookies to your device, we ask for your permission by way of our cookie consent banner. For full details of what cookies we use, please see our separate cookie policy.

 

Information we process

  • Website visitor information will be collected including a record of your IP address (the address of your router or device from which you are accessing our site), date and time of your visit, and your system type e.g. PC, iPhone, Windows 10 and to ensure we display the site to your device correctly. Details of the pages you visit, duration of your visit, and general geographical location will be recorded where you give permission.
  • Donor information will be collected if you are kind enough to donate online. You will be transferred to an external third-party payment gateway to process the donation. Additional financial details will be recorded about you as per Section 5. Donors and fundraising.
  • Our contact forms will capture your name, contact details, company details if appropriate, and details of your enquiry. As part of these forms, we may also ask you for your connection to autism and how you heard about AaA. 
  • Analytics: On both our website and forum we would like to use Google analytics to capture semi-anonymous information on how you use our site, but we will ask for your consent before any data is collected. See more in our cookies policy.

 

Reasons for processing and retention schedule
We rely upon our legitimate interests to process data from the website and consent to process information that is captured via our consent form, when signing up to our newsletter, and when you use our forum.

Website analytical data is retained in an anonymised format indefinitely. Newsletter data is processed for as long as you remain a contact and up until you unsubscribe.

Contact us forms are used to process your enquiry and then deleted; how long we keep your information in relation to your request will depend on the nature and complexity of your enquiry, for example retention times for complaints, donations, and safeguarding issues are different.

 

Sharing your personal data 
We use third-party companies to host and manage the AaA website and our email broadcast platform. To assist us in providing the service they may have access to the personal data which you provide. All third parties will be under a duty of confidentiality and have in place signed data processing agreements to protect your information.

 

Data security
Our website is hosted within the UK. All suppliers go through a GDPR due-diligence process and have in place data processing agreements.

Wherever possible, analytical data is held in a fully or partly anonymised format. 

AaA provide and manage support forums for autistic individuals, their support networks, and autism professionals, such as Talk about Autism and the Ambitious Youth Network. These forums are designed around community support and guidance but are monitored and moderated by AaA staff.

 

Information we process
We will capture your name and contact details, such as your email address, and any other personal details that you provide which may enrich your experience of a network, such as social media account details. On some platforms, your full name will not be displayed, but we may use a first name and first initial of your surname. We also ask if you want to volunteer certain special category information on our Talk about Autism and Ambitious Youth Network platforms, such as ethnicity, religion, and gender, but we will only process this information if you choose to provide it. This information will not be visible or available to anybody else on the platforms. We will maintain a log of activity including posts, interactions, log-in attempts together with associated information on your user account. A log of users who have been excluded from our forum and the reason will be maintained. We also log any safeguarding issues, incidents, or concerns on our safeguarding system Behaviourwatch.

 

Reasons for processing and retention schedule
We need to capture personal data to both deliver and improve our online services and to keep users safe. We log any incidents on our safeguarding database for monitoring and best practice.

Forum data will be held up until you cancel or delete your user account. Special category information is only collected for the purposes of equality monitoring and impact evaluation.

 

Sharing your personal data
We use third-party companies to host AaA forums and provide us, as Data Controllers, with the tools to manage the forums.

Special category information held on the Talk about Autism forum is visible only to AaA’s platform administrators. The option to manage this is in your user profile.

 

Data security
Our forums are hosted within the UK. All suppliers go through a GDPR due-diligence process and have in place data processing agreements. 

If you are an employee, you can find full details of how we process employee data in the AaA Employee Privacy Notice, which can be obtained directly from the People team.

If you are a candidate or applying for work or a placement with us, we need to collect and process certain personal data about you to manage your application. You can find out more about how we use your data when you are applying for work or a placement with us by referring to our employee and candidate privacy notice

The information we collect about you will mainly be obtained from the information you provide to us when you interact with us during the recruitment process, such as that contained within your curriculum vitae (CV), application forms and covering letters; we will also make notes during interviews. We may also receive information about you from recruitment agencies, your previous or current employers, places of study, or referees. Data from third party providers such as credit reference agencies and the Disclosure and Barring Service will be held if applicable.

 

Information we process
To manage your application and, where offered, facilitate your employment or placement, we will collect the following types of personal information about you:

  • Personal and contact information, including name, title, address, telephone number, personal email address, date of birth, photograph, and National Insurance number.
  • Application information, including any personal information included within your application form and CV such as employment history, salary history, performance information, training records, professional memberships, and disciplinary and grievance information. 
  • Professional information, such as records of qualifications and study
  • Some roles may require additional assessments (task test, presentation, or trial day). Any test used will have been validated in relation to the job and be free of bias.
  • Right to work evidence, including photographic and other proof of status for example, copy of your driving licence and passport, proof of address, resident status.
  • Special category or sensitive data may be captured. This will be done for one (or more) of the following reasons:

 

Special category or sensitive data may be captured. This will be done for one (or more) of the following reasons:

  • To support your application or your employment, such as information regarding your health, including any disability, medical condition, health and sickness records
  • To comply with legal and safeguarding obligations, such as if you have any actual or alleged criminal convictions and offences
  • For Equality, Diversity, and Inclusion (EDI) reporting and analysis purposes, such as your racial or ethnic origin, religious, philosophical or other beliefs, sexual orientation, and political opinions. While this information may be directly requested, it is entirely your choice to volunteer it.

 

Reasons for processing and retention schedule
We require your personal information to administer job applications, assess your skills, qualifications and suitability for the job or role you have applied for, communicate with you about the recruitment process and, where relevant, offer you a job with us. We are required to do this by law and to allow us to enter a contract of employment or equivalent with you. Some information you provide on your application may not be strictly necessary, but if you volunteer this information, we shall assume you have given your consent for us to process this information.

  • We are required by law to check that you are legally entitled to work in the UK and to ascertain your fitness to work and provide reasonable adjustments where necessary. 
  • We conduct studies to review and better understand the types of job applications we receive, from whom and what kind of education, skills, qualifications, and employment history the applicants typically have for each different job / role. We do this as we have a legal obligation to comply with equal opportunity legislation and to prevent discrimination. We rely on our legitimate interests for other types of research and process sensitive data for research purposes with your permission.
  • We will use information about disability status to consider whether we need to provide appropriate adjustments during the recruitment process. This is a legal obligation. We are required by law to carry out criminal record checks to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable to work with children and vulnerable adults, or any regulated setting, at AaA. 
  • We perform certain background checks and process some information to meet our legal compliance and regulatory obligations, such as compliance with anti-money laundering laws, health and safety obligations and tax reporting requirements.
  • We process some information to prevent or detect fraud or crime, including assisting with investigations (some of which may be criminal investigations) carried out by the police and other competent authorities.

 

For unsuccessful candidates, unless we obtain your permission to retain your CV in our ‘Talent Bank', so that we can keep you in mind as a candidate for other job offers and opportunities to work for AaA for a longer period, we shall delete your CV and application six months after a decision has been made regarding the position. For successful candidates we shall retain your records for the duration of our relationship plus seven years afterwards.

With some records, such as those in relation to certain screening checks, for example, criminal records, health screening records, safeguarding and pension files, the law specifies we must keep these for longer periods of time. Some of these retention periods are laid down in statute and we shall apply whatever current government mandated time periods are applicable. 

 

Sharing your personal data 
In order to manage your application for employment or placement we may need to share your personal data with certain third parties. These include:

  • Government bodies such as HM Revenue and Customs, law enforcement agencies, the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and other parties where we are subject to a court order.
  • Pension providers and insurance companies, including other employee benefits programs such as cycle to work schemes into which they have opted in.
  • We share with Capita Resourcing Limited, UK registered company number 03949686, for the purposes of performing DBS (criminal record) checks.
  • We may share some details with One Occupational Health Ltd, registered in England & Wales Company Number: 11551768, for the purposes of providing your information for medical screening. You will be asked to consent to your data being shared prior to processing.
  • Other employees within our wider group of organisations, such as our centralised human resource (‘People’) department, agents, and contractors but only where there is a legitimate reason for them to receive the information.
  • Third party processors where we have engaged them to process data on our behalf, for example email broadcast or web hosting companies.
  • Professional advisors such as legal counsel, specialist employment and health and safety advisors, accountants etc.

 

Data security
All candidate data is processed within the UK, and we perform appropriate due diligence on all third parties to ensure that they will keep your information safe before sharing takes place. Unless we are required to share your personal data by law, we shall ensure an appropriate data sharing or data processing agreement is in place before sharing takes place. 

We shall ensure that appropriate physical and technical security measures are in place to keep your electronic and manual records safe and apply proportionate cyber-security measures to control access to your information. 

We train all AaA staff in how to manage personal data safely and issue guidance on how to safely manage applications for employment and placement. 

To support us in meeting our charitable and philanthropic aims we both seek and receive donations which may or may not include monetary gifts. To administer these gifts and donations we need to process certain personal information on our donor management database and sometimes with the help of third-party companies. 

AaA adheres to the Fundraising Regulator’s Code of Fundraising Practice.

You may donate via social impact platforms such as Just Giving and Givergy; AaA are not responsible for how data is processed on these sites, and only have access to limited information when details of your donation are shared with us. For more information about how these sites use your personal data, please refer to their privacy policy.

 

Information we process

  • Contact details, including name, title, gender,, address, and contact details.
  • Financial information, including details of any fees paid or donations made, Gift Aid declaration information where relevant, and if you support us with a regular gift by Direct Debit your bank account number, account name, and sort code.
  • We do not store credit or debit card details on our website or on our servers but use a third-party payment provider called Stripe to process our payments. We are not able to access or view full credit or debit card numbers through this service but have access to part-anonymised reporting information that will reference your account name, donation amount, donation date, and any related payment references. You can find more about how Stripe processes your personal data by visiting their privacy policy.
  • Community Fundraising: if you participate in an event or in community fundraising for us, be that as a sponsor or participant, we will collect the information we need to support and inform you of the success and outcomes of your work with us. This will also include details of your Sponsors or participants.
  • Your biography and interests, including with your permission and where relevant, to allow us to offer you further interaction with AaA activities and fundraising.
  • Corporate fundraising, which will include details of key individuals and employees along with details of your organisation (size, sector, good cause preferences, giving history etc).

 

Reasons for processing and retention schedule
We require your contact and financial details to record and manage both one-off and ongoing donations, maintain a record of Gift Aid declarations allowing us to reclaim tax on your donations, acknowledge your donation, and send regular updates to you. We do this using both your consent and our legal obligations to maintain accurate financial records.

  • Stripe will hold your card details on our behalf to manage regular donations – we do this with your consent.
  • For further details of our marketing activities please see Section 10. Marketing and newsletters below.
  • For Corporate Fundraising and Major Gifts Fundraising we sometimes rely upon our legitimate interests to collect and process information.

 

With your consent we will use your information to: 

  • Keep you informed of progress and development of the work of AaA, and to be advised of this in a tailored way beyond our usual media outreach.
  • Offer you opportunities to participate in events and fundraising including such possibilities as marathon running, parachute jumps, and other unique events that may become possible for you to be involved in.
  • Inform you of special projects and other general fundraising that we are running and offering you the opportunity to provide your support.

 

We shall rely upon our legitimate interests to thank you for your support.

We are required by law to keep all tax records for a minimum of six years, and we therefore retain any financial records for seven years. Gift Aid records are kept indefinitely to allow us to claim tax refunds on future donations. 

We usually retain donor and supporter records for seven years after our last interaction, but where there are no legal reasons why we need to retain your information, you can ask us to delete this data sooner.

 

Sharing your personal data 
To process and manage your donations and offers of support, we need to share personal data with selected colleagues, our third-party payments processing company Stripe, HMRC, and our financial auditors.

If you are part of a community fundraising scheme, or part of an employee engagement scheme, with your permission we may share your details with other volunteers and your employer. 

Where you have engaged with us in a competition or auction, we may require a third-party fulfilment company to send you items on our behalf.

 

Data security
The information we collect about you is processed using the industry standard fundraising database known as The Raiser's Edge. Should you give permission to receive updates from us via email, we will process information in a cloud-based platform hosted within the EU and our email broadcast company, MailChimp, based in the USA. These systems are compliant with current security standards and whilst these processors will maintain back-ups of information, they will not access this data. All suppliers go through a GDPR due-diligence process and have in place data processing agreements. 

We collaborate with several private and public sector organisations to help raise awareness of autism and support the work of AaA by becoming Charity Champions, Business Ambassadors, Corporate Partners, or joining the AaA Development Board. To help support and train our corporate partners we collect a limited amount of personal and professional (business to business, or B2B) data. This information will be shared directly by you, and/or by your employer through our relationship with your organisation. 

 

Information we process
We may collect the following information about you: 

  • Business or personal contact details, including name, title, address, employer, email address and telephone number(s).
  • Training and attendance records, including a record of any training received or courses and events attended.
  • Communications between us, such as any enquiries and interactions between your organisation and AaA, which may include special category (or sensitive) data if you volunteer this to us.
  • If you fundraise for us, engage in fundraising, assist with community events, or wish to make donations, please see Section 5. Donors.

 

Reasons for processing and retention schedule
We process information to manage our relationship with you and provide education and support. For these purposes, we shall process your information with your consent, plus share with you terms of reference for the relationship which will be agreed and signed by you. Any special category data will only be processed if volunteered to us and be for specific and explicit purposes.

 

Sharing your personal data 
We will only share your information internally with those colleagues with whom it is necessary to manage our relationship with you, and in certain circumstances will feedback some information about you to your organisation.  

 

Data security
Your information will be held in a secure database, The Raiser’s Edge, and within our Office 365 environment hosted within the UK. Adequate access controls and security measures are taken to protect your personal information.

We place autistic people in paid work experience as part of our Employ Autism programme and Ambitious College’s supported internships. Some information we collect is identical to that found in the 1. Young people, parents, and carers section of this privacy notice. However, some further information is collected to help support applications, onboarding, and ongoing relationship management of young people in the programmes.

 

Information we process
Depending on the opportunity you are applying for, we may collect the following information:

  • Contact and communications information, including your name, date of birth, title, contact details including email and social media addresses, telephone number(s), and postal address.
  • Contact details for your next of kin, parent, guardian, carer, professional or other support worker.
  • Records of assessments, your attainments and achievements, any placements and volunteering assignments, such as with local employers or our Employ Autism programme, and details of any barriers you may have experienced, including if you were excluded from any schools.
  • Medical information such as information from your doctor, details of your physical, mental, and dental health. Information regarding any allergies you may have and what medication you take and whether you have any special dietary requirements.
  • Records to keep you safe whilst we are responsible for you which may include information from a professional responsible for your care, a local authority or court, plus accident and serious incident logs.
  • Other sensitive information such as details of your sexual orientation, ethnicity, religion or actual alleged or criminal convictions, but only where it is appropriate, necessary, and usually you have volunteered this to us. 

 

Reasons for processing and retention schedule
With corporate partners we must enter into contractual agreements and rely upon this lawful basis to process personal data within contracts. With Employ Autism placements we have a legal duty of care to keep all parties safe and we process personal data, some of which is special category (or sensitive) relating to individuals under these legal obligations. When a contract or relationship is no longer live, we shall keep this information for three years.

 

Sharing your personal data 
We share your personal data with our Employ Autism partners where there is a suitably matched candidate or opportunity. You will be informed that we are sharing your data and what personal data is being shared. Our Employ Autism partners will have their own privacy policies outlining how they use your personal data, and these will be made available to you by them.

 

Data security
Your information will be held in a secure database and within our Office 365 environment hosted within the UK. Adequate access controls and security measures are taken to protect your personal information.

We run services across the UK to support and advocate for autistic people and their families and carers, and to train organisations who want to learn more about how to best support autistic people. This includes post-diagnostic support and research, and projects like Autistic and OK.

 

Information we process
We will capture your name and contact details, such as your personal or professional email address, and any other personal details that you provide to us which may enrich your experience of a project or programme.

We may request medical information such as details of your physical and mental health. This will only be requested if it is appropriate or necessary to be part of the service or project and you can request this be removed or deleted at any time.

Some information is sourced from third party networks, where your prior consent has been obtained and where there is a mutual legitimate interest to contact you about a service or project. 

 

Reasons for processing and retention schedule
We capture personal data to both deliver and improve our services, keep participants safe, for monitoring and impact evaluation, and to provide tailored guidance on how to implement the services or projects in your organisation.

With your consent, we will distribute surveys for monitoring progress and gathering feedback to assess the programme and your experiences. You can opt out of these emails at any time.

We log any incidents on our safeguarding database for monitoring and best practice.

 

Sharing your personal data
We use third party companies and platforms to help us manage some of our email distribution lists, but these companies act as data processors working on AaA’s behalf and we are fully responsible for their processing instructions. 

 

Data security
Our webforms, surveys, and database are hosted within the UK. All suppliers go through a GDPR due-diligence process and have in place data processing agreements. 

We curate and deliver training on how to support autistic people in the workplace and beyond. To do this we collect information about you and/or your organisation.

 

Information we process

  • Contact and communication information, including your name, title, contact details including email address and telephone number(s)
  • The name of your organisation or professional body you are a member of
  • Details of your attendance of training
  • Official certifications and qualifications gained as part of our training.

 

Reasons for processing and retention schedule
We collect your information for the purpose of updating you about booked training courses as well as courses you may also be interested in attending in future.

We store details of your completion of our courses – and any certifications as a result – to track the success and quality of our programs, and to evidence when the training took place. Records may be kept beyond the period when training materials are valid in case of any legal processes or claims.

 

Sharing your personal data
We do not normally need to share your personal data with any third parties, unless our course is delivered by external trainers. If we do share your personal data outside of what you can reasonably expect, we will inform you before doing so.

 

Data security
Your information will be held in a secure database and within our Office 365 environment hosted within the UK. Adequate access controls and security measures are taken to protect your personal information.

We stand with autistic children and young people, champion their rights and create opportunities. This includes raising awareness. To do that, we send regular newsletters and updates using a range of channels including email and post. Typically, you will only be added to our emailing list if you have subscribed directly, either through our website or in response to one of our media campaigns, or via a third party, such as your employer, who may ask for you to be added to our mailing list. They should, however, only do this if they have your permission to do so. 

We also engage in awareness, publicity and PR campaigns and may use your story and photograph to further promote issues surrounding autism. More details of this can be found in Section 1. Young people, parents and carers.

 

Information we process

We may collect the following information about you: 

  • Contact details, including your name, title, address, email, and telephone number(s).
  • Communications record of any enquiries and interactions between you and AaA, which may include special category (or sensitive) data if you volunteer this to us.
  • Biographical and social information.
  • Your interests and your connection to autism, but only with your permission, and where relevant, to allow us to offer you further and more personal interaction with AaA activities and fundraising.
  • Analytical data, such as when you click on a link within an email including details of what links have been clicked. This is achieved through pixels and web beacons, which are tags placed in our marketing that record your viewing of a particular web page or email. You can read more within our cookie policy.

 

Reasons for processing and retention schedule
In relation to our fundraising activities, we rely upon your consent to process your personal information. In relation to corporate marketing, we rely on our legitimate interests to better promote the aim and objectives of our organisation. 

When you click on a link within an email broadcast or newsletter, a record of what links have been clicked are recorded. We do this to better understand how effective our mailings have been and to identify specific areas of interest.

 

Sharing your personal data
We do not sell or share your marketing information with any other organisation. We utilise third party companies and platforms to help us manage our donor lists, e-Newsletters, and postal mailings, but these companies act as data processors working on our behalf and AaA are fully responsible for their processing instructions. 

 

Data security and retention
We process information in a cloud-based platform hosted within the EU and our email broadcast company, MailChimp, based in the USA. These systems are compliant with current security standards and whilst these processors will maintain back-ups of information, they will not access this data. All suppliers go through a GDPR due-diligence process and have in place data processing agreements. 

To provide our services we have relationships with many public and private sector organisations, suppliers, and third-party companies. Information will usually come directly from the contact concerned, one of their colleagues with permission to share, or from information already within the public domain.

 

Information we process

  • Contact details, including name, job titles, role, address, email, telephone numbers and social media account details.
  • Administration, including correspondence between us including a record of interactions and enquiries (by any channel) together with copies of any contractual and associated documentation.
  • Financial information, including any tenders, quotations and invoices issued or received.
  • Profiles, including information collected from public domain sources, such as LinkedIn, newspapers and magazines which may include limited biographical information and details of interests.
  • Marketing communications. We shall maintain a record of consents given for marketing purposes and details of any marketing correspondence sent.

 

Reasons for processing and retention schedule  
AaA will use the information you give us to open a mutually beneficial channel of communication and when a more formal relationship is required or sought, use the information to enter a contractual relationship. To do this we shall initially rely upon our legitimate interests and if, or when, a contract is appropriate, we shall rely upon the lawful basis of contractual obligation. We shall retain any contractual documentation for the active period stated in the agreement plus an additional seven years. We shall rely on legitimate interests to identify potential suppliers and partners and where we have a commercial relationship, including financial considerations, we shall process any financial records under our legal obligations, which we shall retain for seven years from the transaction date. 

 

Sharing your personal data
We shall only share details of suppliers and partners internally where it is necessary to meet the intended aim of the relationship and with other partners or suppliers with your permission. We may share your details with our legal and professional advisors should advice or assistance be required, such as in the event of a legal claim or to recover unpaid debt. Data may be stored in third-party software in which case access to your information may be necessary by their customer support or IT support teams, but only at our strict request and under our supervision.

 

Data security and retention
Your information will be held within our UK or EU based platforms and appropriate technical and organisational security measures will be employed. Your information may also be stored in our accountancy software known as PS Financials (PSF).

Within our school and office premises we use surveillance cameras. Some are of a static nature and others can be rotated and zoom. None of these cameras have active audio recording. Cameras can be found on both the exterior and interior of our premises but never in highly sensitive areas unless there are exceptional reasons. Signs will be displayed to inform individuals that they are in an area that is being surveilled by CCTV.

 

Information we process
We will capture images and footage of individuals who may be identifiable from those images.

 

Reasons for processing and retention schedule
AaA use cameras predominately to keep our young people, visitors, and staff safe and to prevent and detect crime. A CCTV system is the most secure and effective way to ensure the safety of individuals on site and prevent unlawful acts. We rely on the lawful basis of legitimate interests to process CCTV images and the substantial public interest to detect unlawful acts.

Our CCTV systems automatically delete footage after a maximum of 30 days. If required for safeguarding or criminal investigation reasons, we will clip footage and store this for the duration of the investigation plus six months.

 

Sharing your personal data 
Where a crime or safeguarding issue has, or is suspected to have taken place, we may share footage with the police or local authority.  Footage may be shared with the Police and other competent authority where the law permits and where there is a legal reason to do so.

 

Data security 
Video footage shall be kept secure, and live and recorded footage will be available only to authorized members of staff and our CCTV service company. CCTV footage is stored within our local servers with encrypted backups held locally or in the cloud, all within the UK.

Keeping your information as private and safe as we can is important to us. 

Your information will be kept in secure servers either in one of our premises, or in a virtual or cloud service hosted in the UK or European Economic Area. If we wish to store your information outside of these regions, we will let you know and where possible ask for your permission.

We also securely store physical documents that will contain personal information. We transfer this to digital storage as much as possible, but there will inevitably be physical documentation that we need to store. AaA uses locked storage in access-controlled areas and facilities to keep this secure.

We make sure that our staff use very strong passwords and change them regularly, we constantly screen emails and computers for viruses and have a firewall to stop unauthorised people accessing your information. We train our staff how to keep your information safe and issue policies and guidance on how to achieve this; our IT and compliance teams also regularly check that your information remains safe.

Where possible we shall remove any information that can identify you, for example we shall remove your name and address and, in its place, put an ID number.

We make sure that any third-party processors working on our behalf are ethical, can keep your information safe, that they follow all data protection legislation, and we have written agreements in place to ensure everyone involved in a process understands their obligations. 

We reference legitimate interest as a lawful basis for processing throughout this document. Legitimate interest is one of the lawful conditions listed within Article 6 of the GDPR that allows us to process non-sensitive personal data.

AaA can rely upon our legitimate interests as long as our interests do not override your fundamental rights.

Find out more about the lawful basis of legitimate interest

We will always keep your information safe and treat it with respect, however, UK and EU data protection legislation gives you fundamental rights concerning your personal data which we have listed below for your convenience: -

  • You have the right to access a copy of the personal information we hold about you; this is commonly referred to as a Data Subject Access Request (commonly known as a DSAR or SAR). You can make the request by phone, in writing or by email; our contact details can be found at the end of this policy. We will have to verify your identity before we can proceed.
  • You have the right of rectification to oblige AaA to amend or update any personal information we hold about you which may be inaccurate or out-of-date.
  • You have the right to erasure, also known as ‘the right to be forgotten’. This is where you may request the deletion or removal of personal data where there is no compelling reason for its continued processing by AaA.
  • You have the right to ‘restrict’ the processing of your personal data. This right applies where it is no longer essential for AaA to process your information to either provide services to you or our relationship has ended and there is no contractual, legal, or financial reason to keep your information any longer. In those cases, we are permitted to store the personal data, but not further process it.
  • You have the right to data portability which allows individuals to obtain and or reuse their personal data for their own purposes across different services. It allows you to move, copy, or transfer your personal data (held in an electronic format) easily from one IT environment to another in a safe and secure way. This right does not apply to any information held by AaA.
  • You have the right to object to the processing of your personal information where we are relying upon your consent, our legitimate interests, or the performance of a task in the public interest which includes direct marketing, profiling, and use of your information for research and statistical purposes.
    For some processing you will have given us permission to process your information, and in these cases you can withdraw your consent at any time. However, even after consent has been withdrawn, we may still need to store some information for other legal reasons. You will always have an absolute right to ask us to stop sending you direct mail or marketing emails and if you have given your consent and you wish to withdraw it, please contact us using the contact details below.
  • Finally, you have a right to be made aware of any automated decision-making taking place on you. That is where a decision is made without any human involvement, for example, this is how social media companies decide what adverts are presented to you based on the profile they have created, or a credit reference company will decided to offer credit or not based on a computer algorithm. AaA do not make any decisions on you using any automated processes. 

 

In certain situations, the above rights may not apply, for example you may ask us to stop sending you marketing emails, but we may need to contact you due to due a contractual, administrative, or legal obligation.

We are Ambitious about Autism and together with Ambitious about Autism Schools Trust, we stand with autistic children and young people, champion their rights and create opportunities. We hold both charitable status as well as a charitable company limited by guarantee; full details are as follows.

Ambitious about Autism (Limited) is a charity registered in England with registration number 1063184 and a registered charitable company limited by guarantee in England and Wales with registration number 03375255. Our limited company is responsible for the data we hold, and we are registered with the UK Information Commissioner's Office under registration number Z5753824.

Ambitious about Autism Schools Trust is a company limited by guarantee and an exempt charity registered in England and Wales under registration number 08335297. 

Our charitable organisations and limited company all have their registered offices at The Pears National Centre for Autism Education Woodside Avenue, London N10 3JA.

Data Protection Senior Officer contact details
If you have any questions about this privacy notice or how we process your personal data, or if you wish to exercise any of your rights you may contact our Data Protection Senior Officer using any of the following channels: 

By email: dataprotection@ambitiousaboutautism.org.uk

By telephone: 020 8815 5444

By post: The Data Protection Officer, The Pears National Centre for Autism Education, Woodside Avenue, London N10 3JA

 

Information Commissioner’s Office (ICO)
In the unlikely event that you are not satisfied with how we are processing your personal data or how we have responded to an enquiry regarding your personal data, you can make a complaint to the Information Commissioner’s Office (ICO) or telephone their helpline on 0303 123 1113. A live chat function is also available on their website.

You can find out more about your data protection rights from the ICO website.

If you would like to read more about how to make a complaint to AaA or AaAST directly, please refer to our complaints policy or complete the complaints form.

Candidate privacy notice

Please find attached our employee and candidate privacy notice.

 

Withdrawing consent policy

Please find attached our withdrawing consent policy.