As one of the most prominent and long-standing charities for children and young people in the United Kingdom, the EAI Industry is delighted to advocate for improvements to childhood across the country.
By collecting and analysing information, listening to children’s experiences, and uniting organisations in pursuit of common goals, we are able to influence legislation and promote system-wide changes to improve outcomes for children and communities.
To ensure that the improvements are long-lasting, we develop relationships and provide training to individuals who work directly with children, youth, and families.
A significant part of our mission has always been to keep people informed and engaged about the difficulties children face, and we have always done so with care and a strong commitment to privacy and security.
According to the UK GDPR (Data Protection Act 2018 “DPA” and EU Directive 2016/680 and Regulation EU/2016/679 – ‘The General Data Protection Regulation’ “EU GDPR”), our Privacy Statement describes how we manage, store, retain, and utilise your data. This policy describes how we will treat any personal information we receive from you or that you supply to us. Please read the following carefully to gain an understanding of our policies and procedures surrounding your personal information and how we will handle it. In accordance with the UK’s General Data Protection Regulation, we are making it simpler for you to understand how we use your data through increased openness, including but not limited to:
EAI Industry, registered with the Information Commissioner’s Office (registration number xxxxx), registered charity No. xxxx, registered in England and Wales No. xxxx, registered office: 1-6 Yarmouth Pl, Mayfair, London W1J 7BU, is the data controller for the purposes of the UK GDPR. EAI is a limited liability business.
Cyber Essentials Certificate No. xxxx has been issued to EAI.
Your name, e – mail address, postal address, phone or mobile number, date of birth, financial information, and credit/debit card details may be among the personal information we save about you. We may also collect information if you have participated in a survey for research purposes, attended one of our training events, provided us with feedback on our services and activities, subscribed to our newsletters, endorsed to online forums that we administer, or visited one of the EAI Family’s websites. Our sites consist of:
Importantly, if you are a member of one (or more) of our Special Membership Groups or other forums, or if you visit one of our websites, the information we gather about you is handled by The EAI Industry, a registered charity and data controller.
When you visit one of our websites, the following information will be gathered automatically:
Under the UK GDPR, there are six permissible legal grounds for processing your personal data. In accordance with the overall principles of the UK GDPR, especially with regard to transparency, we shall establish the legal grounds for processing your personal data in accordance with the objective of EAI and our connection with you. We will identify our legal basis in accordance with the criteria outlined in the UK GDPR, and we will record our legal bases in EAI’s Data Asset Register and any other relevant documents. The six legal basis include:
To fulfil our organization’s objective, we shall collect and treat your personal information based on “legitimate interests” in a proportional and balanced manner. Our justification for utilising this foundation will be either in your or our best interests, in the economic interest, or for the greater good of society. We will guarantee that we only use your data on this legal basis in predictable and readily explicable methods, such as marketing, events, training, or if you engage in any of our numerous advisory or working groups and forums.
Under the legal basis of ‘Contract,’ we shall collect and handle your personal data in order to fulfil our contractual obligations to you, including during procurement or other similar activities leading up to entering into a complete commercial agreement with you.
Under “Legal requirement,” we shall collect and treat your personal data where required to do so by a common law or statutory obligation under UK or EU legislation. This includes situations in which we are compelled by law to comply with legislation established by regulatory agencies, such as Companies House and the Charity Commission.
Your consent must be unequivocal and require a clear confirmation action (Positive Opt-in), and pre-checked opt-in boxes are expressly prohibited. All of our components, such as the newsletters you can sign up for on our websites, cooperate with this and demonstrate our desire to maintain your trust and engagement with us by giving you real control over what information you receive from us, how we contact you, and how your data is subsequently processed. In addition, we will document your consent, how and when you supplied it, as well as the information we have provided you regarding your consent. This will contain explicit information on how you may withdraw your consent at any time, as well as make doing so a simple procedure. We will also inform you of how and when we may contact you to either reconfirm or change your consent, if relevant. We will regularly evaluate our Consent Policy and Consent Forms to ensure that they remain compatible with any future adjustments or regulations under the GDPR, and we will inform you of any modifications.
Under “Vital interests,” we shall collect and treat your personal information if we require it to safeguard your life, within the limited extent that typically only applies to cases of life and death. We shall not use this legal basis to collect Special Category data (please see G below) if we are obliged to acquire consent.
Under ‘Public task,’ we shall collect and handle your personal information if we require it to carry out a legally mandated duty in the public interest. This may apply to the processing of personal data that is required for the performance of statutory or government activities or for the administration of justice.
We anticipate that the majority of our legal basis will fall under Legitimate Interests, Contract, and Consent due to the nature of EAI’s mission, our programme delivery, our position as a highly trusted partner and convener, our direct participation work with children, young people, and those who support them, our work with practitioners, and our extensive research that enables us to inform policy.
In spite of this, and in order to retain your confidence in us, we will always evaluate the other three grounds and apply them if we think them to be the most applicable in terms of your relationship with us.
There are two more subcategories of personal data that we may occasionally need to collect:
We shall collect and treat your sensitive personal data in accordance with Article 6’s “Special category data” clause in order to preserve your basic rights and freedoms further. These data may or may not have a clear connection to another data type, such as Consent or Vital Interests. Currently, there are eleven categories of Special Category Data:
We will only collect and handle your personal information pertaining to Criminal Offense Data in accordance with the specific protections outlined in Article 10 of the GDPR, which pertain to criminal convictions and offences, or comparable security measures. We acknowledge that it is against the law to maintain a complete registry of criminal convictions unless needed by government authorities.
Your personal data may be transmitted to and kept at a destination outside the European Economic Area (“EEA”). We will take all reasonable measures to guarantee that your information is protected and handled in line with this privacy statement. We shall not transmit your personal information to a country outside the EEA unless we are confident that we are permitted to do so under the UK GDPR.
We save all of the information you supply in a safe environment, and all financial transactions are secured using SSL technology. Where we have provided you (or where you have selected) a password which enables you to access certain portions of our website, you are responsible for maintaining the confidentiality of this password. We request that you not share your password with anybody.
Unfortunately, internet-based information transfer is not entirely secure. We cannot guarantee the security of any data transferred to our website; any communication is at your own risk. After receiving your data, we will employ stringent protocols and security measures to prevent unauthorised access.
We utilise your gathered and stored personal information in the following ways:
We are committed to preserving your personal information for no longer than required and in accordance with the minimum and maximum retention periods outlined in our Retention Policy. We will destroy your personal information as quickly as possible; for instance, if you have registered to attend one of our events, we will delete the majority of the personal information you have supplied with us once the event has concluded.
The data we gather will be anonymized when it is necessary for us to maintain it, such as feedback from one of our events, surveys, and research reasons. As a result, we will only maintain the information and data required to support our organization’s mission of continuing to enhance the lives of children, adolescents, and all those who assist them.
As with all of our processes and procedures, we will ensure that all of our employees have a thorough grasp of our Retention Policy and that any changes are effectively communicated. Similarly, we will have processes in place to ensure that all of our delivery partners and other third-party processors are aware of our Retention Policy and adhere to our expectations on how they handle your personal information.
To retain your confidence and trust in us, our new Retention Policy will be posted here shortly. If you have any questions regarding our Retention Policy, our Data Protection Officer would be delighted to assist you: DataProtection@EAI .org.uk
We are dedicated to exchanging your personal information with third parties only as needed in accordance with our organization’s mission and the implementation of our programmes, projects, training, and other activities, and for research purposes. We shall guarantee that our delivery partners and third-party processors fully comprehend and commit to complying with the agreements they engage into with us about how they keep and preserve your personal information. If you have questions, please contact our Data Protection Officer at [email protected].
We will share your personal information with other parties:
Under the UK GDPR, your right to be informed about the collection and use of your personal data is a fundamental need for transparency. EAI adheres to this by disclosing the purpose for which we process your personal information, our retention periods for the that data, and the parties with whom it may be shared. We will assess all such paperwork to verify that the content is succinct, clear, understandable, and easily available, with links to relevant rules or guidelines. To retain your confidence in us, we will periodically evaluate our privacy policies and notify you of any substantial changes.
Even if this is not absolute, you have the right to be forgotten (to have your personal data destroyed or to discontinue the processing of your data). This right applies in particular, but is not limited to:
We shall answer to your inquiry without excessive delay and within one month of the day we received your inquiry. Requests must be submitted in writing and accompanied by acceptable identification. In general, exercising your Right to be Forgotten is free of charge, unless we deem your request clearly baseless or excessive, in which case we may charge a reasonable price to cover administrative costs.
You have the Right to Rectification if you believe that we have gathered erroneous or incomplete information about you. The latter may necessitate a supplement to the incomplete data. You may submit a request for correction verbally or in writing, and we will respond without undue delay but within one month of the day we received your request.
You have the right to see your personal information and any other information we may have gathered. This allows you to be informed of and check the legality of our data collecting, storage, and processing practises. You are entitled to receive from us:
Requests for data subject access must be submitted in writing, and proper identification will be requested. We will normally give you with your information in a standard, secure electronic format, but we will make every effort to accommodate any alternative format you may request. In the event that we process a substantial quantity of personal information, the UK GDPR permits us to ask you to define which information your request pertains to.
If we receive a request from you, we shall react without undue delay and within a month of your request’s receipt. However, if your request is exceptionally complicated or extensive, we reserve the right to prolong our response time in accordance with the UK GDPR. In such cases, we will notify you of the extension within one month of receiving your request and explain why we believe the extension is in your best interests.
Under the UK GDPR, we may deny a Subject Data Access request if it is obviously unjustified or disproportionate, particularly if it is recurring in nature. In such a case, we will give you with a thorough explanation of our decision without undue delay and within one month of the date of your request. While it is doubtful that we would deny such a request, in the odd event that we do, we will continue to provide you with further help and advise you of your right to file a complaint with the ICO. We will give you with a complimentary copy of the requested information. In accordance with the UK GDPR, we may impose a fee if the request is demonstrably baseless, disproportionate, repeated, or for additional copies of the same information.
Our Data Subject Access Policy and Request Form will be posted on this page shortly. If you have any questions in the interim, please contact our DPO.
Your right to data portability enables you to get and reuse your personal data for your own purposes across multiple services, to move, copy, and transfer your data in a safe and secure manner from one IT environment to another. Your Right to Data Portability is limited to the following EAI:
when you give us with your personal information in our position as a data controller;
when you have consented to our processing your data;
where we process your data to fulfil a contractual obligation.
Our new Data Portability Policy will shortly be posted on this page. If you have any questions in the interim, please contact our DPO.
The legal basis for our processing is the fulfilment of a task in the public interest or the exercise of official power (including profiling);
Your information is used for direct marketing (including profiling);
Our data processing serves scientific/historical research and statistical reasons.
If you exercise your right to object, we will cease processing your personal information unless we can demonstrate compelling valid reasons that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defence of legal claims.
This does not apply to your right to object to our processing of your personal information for direct marketing purposes if there are no exemptions or reasons for us to deny your request. If you submit such a request, we shall handle your objection without excessive delay and at no cost.
If, however, we are undertaking research in which the processing of your personal data is essential for the fulfilment of a task in the public interest, we are not compelled to comply with your objection.
We will always honour your right to affirmatively opt-in via appropriate channels, such as preferences requiring your confirmation. We will continue to make it clear and simple for you to unsubscribe from our newsletters, bulletins, and other mailing lists.
If you have any questions about your rights as mentioned above or would want to make a specific request, our Data Protection Officer would be pleased to assist you: DataProtection@EAI .org.uk
Due to the nature of our mission, we have taken special precautions to protect the rights and freedoms of children, adolescents, and vulnerable adults in regards to why and how we collect, handle, store, and keep their personal information. While the UK’s age restriction for gaining parental consent to gather such information is 13, we have placed the age limit at 16 due to our strong commitment and sensitivity to safeguarding measures. We consequently seek the permission of both the parent or legal guardian and the adolescent for those aged 13 to 16. When a young person is over the age of 16 and there is a reasonable belief that they lack the ability to agree to an activity as defined by the Mental Capacity Act of 2005, we additionally seek the permission of the parent or guardian and the young person.
Under all legal grounds for collecting and processing personal data, we shall ensure that the child, young person, or vulnerable adult understands what they are consenting to and what they may be committing to in establishing a contract.
Where we may regard genuine interest as our legal basis, we shall evaluate any potential risks associated with the collection and processing of such personal data and establish age-appropriate protections.
EAI has rigorous accountability and governance structures in place for all of its activities. This has involved implementing extra data protection systems to guarantee we are protecting your personal data, basic rights, and freedoms in accordance with the UK’s new GDPR legislation. These upgraded or newly implemented procedures consist of the following:
Periodically, we review and confirm that our contracts and agreements with data processors properly outline our and their obligations and liabilities. This will include our processors committing to act solely in accordance with the written instructions supplied by us and within the scope of their respective duties.
Periodically, we assess what, where, and why we save personal data, as well as the legal basis, data sharing with third parties, and data retention limit. This information is compiled and maintained in our routinely reviewed and updated Data Asset Registers.
We shall conduct a data protection impact assessment where we believe there is a high risk associated with the processing of personal data, such as in the case of complicated projects where personal data may be shared with third parties. Our DPIA will address the type, breadth, context, and purpose of data processing; the need, proportionality, and compliance methods; and will allow us to identify possible risks to persons and how to minimise and monitor them.
Our Data Protection Officer keeps a Data Protection Breach Register to document any situations where data security has been breached.
We take adequate technological and other organisational measures pertaining to the confidentiality, integrity, and availability of our systems and processes, and we frequently evaluate the IT security with our IT supplier. As part of our dedication to environmental concerns, we operate with less and less paper; nonetheless, if data must be stored on paper, we employ secure filing or other appropriate measures. Our security measures include ensuring that our staff and third-party processors have a thorough understanding of the risks that may result in the accidental loss or theft of data, as well as the measures we have in place to mitigate these risks, such as limiting the use of USB sticks to the bare minimum.
Our Board has established a Data Protection Lead Trustee who serves as a direct conduit for our DPO to the Board. Our Board and Finance Risk and Audit Committee (FRAC) have recurring and routine agenda topics that check our continuous compliance in all important governance areas.
We will continue to maintain all of our procedures, processes, and controls at optimal levels commensurate with the nature and scope of our organization’s activities. Within our accountability and governance frameworks, we have robust breach recognition, investigation, and reporting procedures, and we will also ensure that our staff and Data Processors have a thorough understanding of what constitutes a Data Protection Violation and how to report any incident to our DPO in a timely manner. Should a violation be reported, our DPO will examine further to determine if the breach poses a high risk and if it must be notified to the ICO within the 72-hour limit. If such a breach poses a danger of negatively impacting the rights and freedoms of persons, our DPO will initiate our process for notifying such individuals. Regardless of whether the breach must be reported to the ICO, the DPO will ensure that every breach reported is logged in our Data Breach Register and, as appropriate, the Data Security Lead Trustee, our FRAC, and/or the Board of Trustees will be notified.