Privacy Policy

Depending on your relationship with us, we may collect:

• Children and young people: referral information, care plans, health and education records, risk assessments, family and contact information, photographs (with appropriate consent), and day-to-day notes about their care and wellbeing.
• Families and carers: contact details, correspondence and any information shared as part of contact arrangements.
• Professionals and partners: name, role, organisation, and correspondence relating to placements, referrals and joint working.
• Staff and applicants: recruitment, employment, training, vetting and payroll information as set out in our employee privacy notice.
• Website visitors: technical data such as IP address, browser type and pages visited, plus any information you provide via our contact form.

We use personal data to:

• Provide safe, high-quality therapeutic care to children and young people.
• Meet our statutory and regulatory duties, including those owed to Ofsted, placing authorities, the NHS, and safeguarding partners.
• Recruit, employ and develop our team, and protect their health, safety and wellbeing.
• Manage our day-to-day operations, including finance, governance and quality assurance.
• Respond to enquiries, complaints and feedback.

We rely on the following lawful bases under UK GDPR:

• Legal obligation - to meet duties under the Children Act 1989, Care Standards Act 2000, Children's Homes Regulations 2015 and related legislation.
• Public task - where we act in support of a local authority's statutory functions.
• Legitimate interests - to run our organisation effectively, where this does not override an individual's rights.
• Consent - for non-essential activities such as marketing photography or optional cookies.
• Vital interests - where processing is necessary to protect someone's life.

For special category data (such as health, ethnicity or safeguarding information), we additionally rely on substantial public interest, the safeguarding of children and individuals at risk, or the provision of health and social care, as set out in Schedule 1 of the Data Protection Act 2018.

We only share information where it is lawful, necessary and proportionate. Recipients may include:

• Local authorities and Independent Reviewing Officers responsible for the young person.
• Health, education, mental health and therapeutic professionals involved in their care.
• Ofsted and other regulators.
• The police and safeguarding partners where there is a safeguarding or criminal concern.
• Trusted suppliers (for example IT and HR providers) who process data on our behalf under written agreements.

We do not sell personal data and do not share it for marketing purposes.

We keep records only for as long as we need them, in line with our retention schedule and the statutory minimum periods that apply to children's social care records - most notably the requirement to retain a child's records until their 75th birthday (or 100 years from date of birth for looked-after children). Other records, such as website enquiries, are kept for much shorter periods.

We use appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit, secure UK-based hosting, staff training and clear policies on information handling. Any breach is investigated promptly and notified to the Information Commissioner's Office (ICO) where required.

Personal data is stored within the UK or European Economic Area wherever possible. If a supplier requires data to be processed outside these areas, we put in place UK-approved safeguards such as the International Data Transfer Agreement or addendum to the EU Standard Contractual Clauses.

Under UK GDPR you have the right to:

• Be informed about how your data is used.
• Access a copy of the personal data we hold about you.
• Ask us to correct inaccurate or incomplete data.
• Ask us to delete data where there is no lawful reason to keep it.
• Restrict or object to processing in certain circumstances.
• Withdraw any consent you have previously given.
• Complain to the Information Commissioner's Office at ico.org.uk or 0303 123 1113.

Where a child is too young to exercise these rights themselves, a person with parental responsibility can do so on their behalf. We always consider the child's wishes, feelings and welfare alongside any request.

To exercise your rights or ask a question about this policy, contact our Data Protection Lead at info@saplingstonecare.co.uk or write to us at Suite RA01, 195–197 Wood Street, London, E17 3NU. We aim to respond within one calendar month.