Privacy Notice

For the purposes of the UK GDPR, Public Practice is the controller and responsible for your personal data. If you have any questions regarding this privacy notice or believe we have breached the UK GDPR, please contact us at info@publicpractice.org.uk or write to us at Public Practice, ℅ Better Space, 127 Farringdon Road, London EC1R 3DA marked for the attention of ‘Operations Manager’.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO - the UK regulator for data protection matters) about our collection and use of your personal data. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Personal data we collect: With regard to each of your visits to our Site, we will automatically collect:

• technical information, including the Internet Protocol (IP) address used to facilitate your connection to the Internet, browser type and version, time zone setting, browser plug-in types and versions, hardware information, and
• information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our Site (including date and time); services, products, publications and articles you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate information about how you use our Site to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

Cookies: Our Site uses cookies to distinguish you from other users of our Site. You can read more about how we use cookies in our Cookie Notice.

We use Google Analytics to gather and analyse traffic which accesses our website. We do not allow Google to use or share our analytics data. Our analytics service provider’s privacy policy is available at: http://www.google.com/policies/privacy/. You can view, delete or add interest categories associated with your browser by visiting: http://www.google.com/settings/ads.

Using your personal data: We will use this information for the following legitimate interests (whether ours or a third party’s):

• to maintain our Site and keep it safe and secure;
• to protect the rights, property or safety of Public Practice, our clients, suppliers, contacts or others (we will also use your information where we are required by law to do so);
• to improve our Site and ensure that content is presented in the most effective manner for you and for your device(s);
• for internal operations (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data);
• to measure or understand the effectiveness of our Site and/or any marketing we serve to you and others, and to deliver relevant marketing to you;
• to deal with any issues you have reported with our Site.

We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Personal data we collect: If you contact us or we contact you (by phone, email or otherwise) in connection with a placement or recruitment needs, we will hold your name, job title/profession, employer details, email address(es), landline and/or mobile numbers and location (including, but not limited to, any other details that appear in your emails and other correspondence to us. We will also collect information relating to your preferences in receiving marketing and other communications from us. We may also collect:

• information and documentation that we obtain about you from publicly available information (e.g. your Local Authority website and social media platforms (e.g., LinkedIn, Twitter, Instagram and Facebook) when we carry out research (this is to ensure that we understand the Local Authority you work for);
• information you give us when you attend any of our events and/or webinars, whether hosted by us or a third party (including (but not limited to) when you register to provide feedback);
• information about you from social media platforms including (but not limited to) when you interact with us on those platforms or access our social media content (the information we may receive is governed by the privacy settings, policies, and/or procedures of the applicable social media platform, and we encourage you to review them).

We do not record calls. We will only record video conferences if we have consent from all participants and need this to support for example minute keeping or to share learning content across our network.

Where we need to collect personal data by law, or under the terms of a contract we have with your Local Authority employer, and you fail to provide that personal data when requested, we may not be able to perform the contract we have or are trying to enter into (for example, to provide you with a placement). In this case, we may have to cancel our services but we will notify you if this is the case at the time.

Using your personal data: We will use this information for the following legitimate interests (whether ours or a third party’s):

• to enable us to perform our contract with the Local Authority who we are providing services to or to take steps to enter into such contract;
• to enable us to enforce our contract with the Local Authority who we are providing services;
• to manage our relationship with the Local Authority who we are providing services to including (but not limited to) managing payments, contract management, collecting and recovering money owed to us, notifying changes to our terms or this privacy notice, keeping our records updated and to study how clients use our services;
• to seek client feedback on, and help us to, track, improve, personalise and develop, our services;
• to organise, and follow up, events and/or webinars that you have registered to attend;
• to notify you about any other events, services and/or webinars we think you might be interested in;
• to send you marketing communications (provided your marketing and communication preferences allow us to do this) (see 12. Marketing);
• to conduct market research that will help us better understand our target market and tailor our marketing communication;
• where we need to comply with a legal obligation (including (but not limited to) where we need to pass details of people involved in fraud or other criminal activity affecting us to law enforcement);
• to conduct business and marketing analytics;
• to grow our business and inform our marketing strategy and advertising campaigns;
• to monitor and train our internal staff;
• to collect information that will enable us to understand why and how you interact with us and our services;
• to exercise legal rights and/or defend claims.

We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us (see 2. Who we are).

Retaining your personal data: This information will be kept for the duration of our contract with the Local Authority who we are providing services to and then for 7 years thereafter in the event of a legal claim. However:

• if we are required by law to retain it for longer, we will retain it for the required period; and/or
• where the information is being used in connection with legal proceedings (including prospective legal proceedings) it will be retained for the duration of those legal (and any enforcement) proceedings.

Personal data we collect: In connection with your application to our job or placement programme(s), we will hold:

• information you have provided on our application form;
• information you provide to us during an interview and selection process;
• information, scoring and notes from our staff and expert assessors involved in the recruitment, interview and selection process;
• information you may have provided to us in your curriculum vitae and any other supporting materials such as work samples;
• information you may have provided to us to prove your eligibility to work in the UK.

We may also hold “special categories” of more sensitive personal data, including information about your:

• race or ethnicity, religious beliefs, sexual orientation; and/or
• health, including any disability, medical condition, health and sickness record.

We will seek explicit consent for the above ‘special category’ information, this is collected either to assist us meet our Health & Safety obligations and to improve the accessibility of our programme. ‘‘Special category’ information collected to improve our services and to hold ourselves accountable, to monitor if we attract applicants / candidates to match the communities they/we will serve is processed and communicated in an anonymised, aggregate form.

If your application is to join our internal Public Practice team, either as an employee or a Non Executive Director, we may also collect personal data about you from the following sources:
your named referees;

• Disclosure and Barring Service or other background check provider in respect of criminal convictions;
• employee background check providers in respect of Adverse credit checks in our Non Executive Directors or employees with financial responsibility only.
• information and documentation that we obtain about you from publicly available information including social media platforms such as LinkedIn, Twitter and Instagram;

If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.

Using your personal data: We will use this information for the following legitimate interests (whether ours or a third party’s):

• establish your right-to-work in the UK
• fairly assess your skills, qualifications, and suitability for the role;
• carry out background and reference checks, where applicable for the internal team only;
• share first stage recruitment output with the management team conducting face-to-face interviews;
• communicate with you about the recruitment process;
• keep records related to our hiring processes; and/or
• comply with legal or regulatory requirements.

We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us (see 2. Who we are).

We also need to process your personal data to decide whether to enter into a contract with you.

Having received your application form as well as the results from any test(s) which you took, and CV, work samples and covering letter where applicable, we will then process that information to decide whether you meet the basic requirements to be shortlisted for the role. If you do, we will decide whether your application is strong enough to invite you for an assessment day or an interview. If we decide to call you for an assessment day or an interview, we will use the information you provide to us at the assessment day or the interview to decide whether you will progress to further stages of the selection process as applicable to the type of role you are applying for.

If we decide to offer you a role in our internal team or as a Non-Executive Director, we will then take up references and carry out any other relevant checks before confirming your appointment. We do not carry our reference checks for the Applicants to our programme, these will be carried out by the Local Authority employer, directly with you.

We will use “special categories” of more sensitive personal data in the following ways:

• we will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview or;
• we will use information about your race or national or ethnic origin, religious, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting; and/or we will use this data in an anonymised, aggregate form.

Retaining your personal data: We will only retain your personal data for as long as is necessary to fulfil the purposes for which it was collected and processed. For candidates who are not offered a role, this will be for a maximum period of one year after we have communicated the decision to you. For applicants/candidates who are offered a role, personal data collected through the recruitment process will form part of your personnel file, which is held by us for the duration of your working relationship and thereafter in accordance with our document and data retention policies and applicable laws.

Personal data we collect: If you contact us or we contact you (by phone, email or otherwise) in connection with either partnering with us or to supply services, goods and/or software to us, we will hold your name, job title/profession, employer details, email address(es), landline and/or mobile numbers and location (including any other details that appear on your email or business card which you provide to us). If you are a sole trader or freelancer, we will also collect your personal bank information so that we can pay you as well as any insurance details/certificates.

We may also collect:

• information and documentation that we obtain about you and your/your employer’s business from publicly available information (e.g. your employer’s website, social media and Companies House) when we carry out research (this is to ensure that we understand you and your/your employer’s business);
• information you give us when you attend any of our events and/or webinars, whether hosted by us or a third party (including when you register to provide feedback);
• information about you from social media platforms including when you interact with us on those platforms or access our social media content (the information we may receive is governed by the privacy settings, policies, and/or procedures of the applicable social media platform, and we encourage you to review them); and/or

We do not record calls. We will only record video conferences if we have consent from all participants and need this to support for example minute keeping or to share learning content across our network.

Using your personal data: Where you are a sole trader or freelancer, we will use this information to enable us to perform our contract with you or to take steps to enter into such contract. For all other types of suppliers, we will use this information for ours or a third party’s legitimate interests, namely to enable us to perform our contract with you/the company who is supplying services, goods and/or software to us, or to take steps to enter into such a contract.

We will also use this information for the following legitimate interests (whether ours or a third party’s):

• to enable us to enforce our contract with you/the company who is partnering with us or is supplying services, goods and/or software to us;
• to manage payments, fees and charges due under our contract;
• to manage our relationship with you/the company who is supplying services, goods and/or software to us including notifying changes to our terms or this privacy notice and keeping our records updated;
• where we need to comply with a legal obligation (including where we need to pass details of people involved in fraud or other criminal activity affecting us to law enforcement);
• to organise, and follow up on, events and/or webinars that you have registered to attend, and to notify you about any other events and/or webinars we think you might be interested in;
• to conduct business and marketing analytics;
• to grow our business and inform our marketing strategy and advertising campaigns;
• to monitor and train staff;
• to exercise legal rights and/or defend claims; and/or.

We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us (see 2. Who we are).

Retaining your personal data: This information will be kept for the duration of our contract with you/the company who is supplying services, goods and/or software to us and then for 7 years thereafter in the event of legal claims. However:

• if we are required by law to retain it for longer, we will retain it for the required period; and/or
• where the information is being used in connection with legal proceedings (including prospective legal proceedings) it will be retained for the duration of those legal (and any enforcement) proceedings.

Personal data we collect: If you contact us or we contact you (by phone, email or otherwise) to make an enquiry about our services or supplying to us, or request information from us, we will hold your name, job title/profession, employer details, email address(es), landline and/or mobile numbers, location and any other details you give us (including any details that appear on your business card which you provide to us).

We may also collect:

• information and documentation that we obtain about you and your/your employer’s business from publicly available information (e.g. your employer’s website, social media and Companies House) when we carry out research (this is to ensure that we understand you and your/your employer’s business);
• information you give us when you attend any of our events and/or webinars, whether hosted by us or a third party (including when you register to provide feedback);
• information about you from social media platforms including when you interact with us on those platforms or access our social media content (the information we may receive is governed by the privacy settings, policies, and/or procedures of the applicable social media platform, and we encourage you to review them).

We do not record calls. We will only record video conferences if we have consent from all participants and need this to support for example minute keeping or to share application guidance or learning content across our network.

Using your personal data: We will use this information for the following legitimate interests (whether ours or a third party’s):

• to respond to your enquiry about our services or about supplying to us;
• to provide you with the information you have requested from us and that we think might be of interest to you;
• to organise, and follow up on, events and/or webinars that you have registered to attend;
• to notify you about any other events, services and/or webinars we think you might be interested in;
• to send you marketing communications (see 12. Marketing);
• to conduct market research that will help us better understand our target market and tailor our marketing communication.

We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us (see 2. Who we are).

Retaining your personal data: This information will be kept for the duration of your enquiry or request and up to 12 months thereafter. However:

• if we are required by law to retain it for longer, we will retain it for the required period; and/or
• where the information is being used in connection with legal proceedings (including prospective legal proceedings) it will be retained for the duration of those legal (and any enforcement) proceedings.

We will only share personal data with third parties (but only the minimum amount they need) in the following instances:

• our employees, contractors, consultants, freelancers and agents who are based in the UK (but their use shall be limited to the performance of their duties and in line with the reason for processing);
• third parties who own, host and support (acting as processors) systems and software tools that we use in our business including (but not limited to) Airtable, Asana, AwardForce, Calendly, Charlie HR, Circle.co, Copper CRM, DocuSign, Eventbrite, Everwell, Google, LinkedIn, Mailchimp, Microsoft, MightyNetworks, Miro, MoneyPenny, Nexudus, Slack, Slido, Spinbackup, TotalAV, Typeform, WithJuno, Workable, Xero, and Zoom. These third parties are based in the UK, Europe, Australia and the USA;
• Google Analytics and search engine providers (acting as processors) that assist us in the improvement and optimisation of our Site and who are based in the USA;
• Our website hosting supplier (acting as a processor) to enable it to maintain and host our Site and who is based in the UK.
• third parties who help us to arrange and/or host events and/or webinars that you have registered to attend (acting as controllers or processors) and who are based in the UK and the USA.
• third parties who provide reference checks for us (including credit reference checks) and/or who assist us to recover monies owed to us (acting as controllers or processors) and who are based in the UK;
• our professional advisers (acting as controllers or processors) including lawyers, bankers, auditors and insurers based in the UK and who provide legal, banking, accounting and insurance;
• HM Revenue & Customs, regulators and other authorities (acting as controllers or processors) based in the UK who require reporting of processing activities in certain circumstances;
• potential buyers (and their agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal data only for the purposes disclosed in this privacy notice;
• where we are required by law to do so;
• our telephony supplier based in the UK (which would get to see phone numbers if we call you) and our broadband supplier, based in the UK (which could see email addresses (but not the content of what you send us, if you encrypt it)) (acting as processors).

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We share your personal data with external third parties (the categories of which are referred to in this privacy notice). This may involve transferring your personal data outside the UK, including Europe, Australia and the USA. Whenever we transfer your personal data out of the UK, we will ensure a similar degree of protection is afforded to it. In some instances, your personal data may be transferred to countries that have been deemed to provide an adequate level of protection for personal data by the UK Government. In other instances, we will ensure at least one other lawful safeguard is implemented, which may include the use of specific contracts approved by the UK Government.

We are aware that UK GDPR restricts the transfer of personal data to countries outside the UK and EU, unless the transfer is to a jurisdiction with similar data protection laws. Remote access to our network from a different country can generally be considered to be a transfer of data so if an employee of ours is temporarily working outside the UK and EU, we will ensure there are appropriate safeguards in place to protect the data.

If you have questions about, or need further information concerning, international data transfers, please contact us (see 2. Who we are).

In relation to personal data that we hold about you, you have the right to:

• where we process your personal data based on your consent, to withdraw your consent easily and at any time;
• get access to your personal data that we hold and receive information about our processing of it;
• ask us to correct the record of your personal data maintained by us if it is inaccurate or to complete incomplete personal data;
• ask us, in certain instances, to erase your personal data or cease processing;
• object to us processing your personal data for direct marketing purposes (see 12. Marketing);
• challenge us processing your personal data which has been justified on the basis of our legitimate interests;
• ask us, in certain instances, to restrict processing personal data to merely storing;
• ask us, in certain limited instances, to transfer your personal data to another online provider;
• not to be subject to automated decision making (including profiling) in certain circumstances; and
• complain to the ICO (www.ico.org.uk) if you think we have breached the UK GDPR. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us (see 2. Who we are) in the first instance.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us (see 2. Who we are). If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

If you would like to exercise any of these rights, please contact us (see 2. Who we are). We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one calendar month (starting from the day we receive your request). Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

To help protect the privacy of personal data you transmit, we maintain physical, technical and administrative safeguards and require the same of any third parties we share your personal data with. Any payment transactions will be encrypted. We update and test our security technology on an ongoing basis. In addition, we train our staff about the importance of confidentiality and maintaining the privacy and security of your personal data.

As you will be aware the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to our Site; any transmission is at your own risk. Once we have received your personal data, we will use physical, technical and administrative safeguards to prevent unauthorised access to your personal data.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We may collect your name and contact details (such as your email address, phone number or address) in order to send you information about services or opportunities which you might be interested in. We never share your name or contact details with third parties for marketing purposes.

You always have the right to "opt out" of receiving our marketing. You can exercise the right at any time by contacting us (see 2. Who we are). If we send you any marketing emails, we will always provide an unsubscribe option to allow you to opt out of any further marketing emails. If you "opt-out" of our marketing materials you will be added to our suppression list to ensure we do not accidentally send you further marketing. We may still need to contact you for administrative or operational purposes, but we will make sure that those communications do not include direct marketing.

You are free to change your marketing choices at any time.

Our Site may, from time to time, contain links to and from the websites of third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Our Site uses interfaces with social media sites such as LinkedIn, Twitter, Vimeo and Eventbrite. If you choose to "like" or share information from our Site through these services, you should review the privacy notice of that service. If you are a member of a social media site, the interfaces may allow the social media site to connect your Site visit to your personal data.