NFA Group Privacy Notice

Individuals who we hold ‘personal data’ about (more commonly known as ‘Data Subjects’) have a legal right and an expectation to be informed about how we process their ‘personal data’, for what purpose, for how long and what their rights are in connection with this. By personal data we mean ‘any information relating to an identified or identifiable natural person’, this could be your name, your address or details of your circumstances.

Data Controllers (such as the NFA Group and our associated agencies) inform Data Subjects via publishing a Privacy Policy or an overarching Privacy Notice. This Notice is our approach to communicating this information to you. It is important that you carefully read this notice.

This notice covers, but is not limited to, our foster carers, children, young people, commissioners, stakeholders and staff.

Our registrations

The Data Protection (Charges and Information) Regulations 2018 require every organisation or sole trader who processes personal information to pay a data protection fee to the Information Commissioner’s Office (ICO), unless they are exempt. The NFA Group and each individual agency has been registered with the ICO for this purpose. Details of our agencies and their respective registrations can be found at the rear of this notice. Valid registrations can be checked on the ICO’s website.

Why your personal data is important to us

Your personal data is important to us as it enables us to realise our mission of improving the lives of young people, their families and communities. It enables us to ensure that the young people who we place in foster care, schools or residential care are well matched, and that both they and their foster parents, school and residential care staff are closely supported to create a safe, nurturing space in which they can realise their full potential and make their way in the world. Your personal data provides the insight to make that possible.

How we obtain your data

We obtain personal data from numerous sources. When we obtain it from foster carers during the application process, we will continue to keep and use it if you are successful in your application. When we obtain data from you, we will be open and up front around our intended use of your data – this will usually be in the form of a Privacy Notice. If you have any queries around the use of your data, please do not hesitate to raise this with your agency.

We will often obtain information from other sources, e.g. from referees during recruitment processes, from local authorities during referrals etc. Information relating to this should be communicated to you at the relevant points of time. For more information, contact your agency.

An overview of the categories of data that we process

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different categories of personal data, such as:

Personal Data

Such as first name, surname, maiden name, title, marital status, date of birth, gender, disability, sexual orientation, criminal convictions, racial or ethnic origin, religious or other beliefs

Circumstantial and Transactional Data

Such as your fostering records, supervision notes, assessment data, annual reviews, allegations etc.

Contact Data

Such as telephone numbers, email address, home address

Family details

Such as contact details and relationships

Financial information

Such as bank details

Safeguarding, special educational needs, physical and mental health

Technical Data

Such as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website

Profile Data

Such as your username and password, your interests, preferences, feedback and survey responses

Marketing and Communications Data

Such as your preferences in receiving marketing from us and our third parties, & your communication preferences.

This list is not exhaustive, to access the current list of categories of information we process please consult the NFA Group’s Data Protection Officer at DPO@nfa.co.uk.

We will treat any personal data by which you can be identified in accordance with the provisions of the General Data Protection Regulations and Data Protection Act 2018.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not deemed personal data in law as this data does not directly or indirectly reveal your identity. However, if we do combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we will treat the combined data as personal data which will be used in accordance with this Privacy Notice.

Personal details about your physical or mental health, alleged commission or conviction of criminal offences are considered “sensitive” personal data. We will process any such information only where the law permits us to.

Our justification for processing your personal data

We process your personal data in order to ensure that the young people who we place in foster care, school or residential care are effectively supported to meet their educational, social and emotional goals as they grow and make their way in the world. We regularly assess each young person’s situation, and also engage with foster parents, school and residential staff to ensure they have the appropriate support, both from us and from the third parties who work with us. We also continuously seek to review & improve our services with input from a broad spectrum of individuals. To do that we need to collect, store and process a range of personal data from the people involved in supporting each young person, as well as their own personal data.

We will only use your personal data when permitted by law. Typically, we will use your personal data in the following circumstances:

In order to perform a contract we are about to enter into – or have entered into – with you (such as your Foster Carer Agreement, Local Authority commissioning contract etc.).

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests

As part of our business needs we collect visual images, personal appearance and behaviours through CCTV recordings to maintain the security of property and premises and for preventing and investigating crime. This information may be about foster carers, young people, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.

From time to time we will undertake prize draws, competitions and surveys, in order to study how our carers and customers view our services, to develop those services and grow our business.

We also keep a record of any communications between us and you, for example emails and phone calls, because we need it to help us fulfil your requests, keep in touch with you, and offer you communications that are relevant to you:

Where we need to comply with a legal or regulatory obligation

Where we are obliged to assist Ofsted with their inspections

Where the law requires, we have a duty to cooperate with Local Authorities who have legal responsibilities to ensure suitable placements for looked after children

Where our use of your information is necessary for us to carry out a task in the public interest.

We share information with the Police, Local Authorities or other agencies where we consider that a child or vulnerable person may be at risk or harm.

Where we believe use of your information is necessary in order to protect the vital interests of a young person or another person.

We endeavour not to rely on consent as a legal basis for processing your personal data, except where we consider it is appropriate. Examples of this currently include sending third party direct marketing communications to you via email, phone or text message or by asking you to be part of our promotional material. You have the right to withdraw your consent at any time by contacting us at DPO@nfa.co.uk.

Accessing and sharing your personal information

Your personal data will be accessed on a ‘need to know’ basis. Any internal use of your data will be limited to those who are involved with working with you or need to have access to your information to work on your behalf, your case etc. Any inappropriate use or access of personal data by our staff is regarded as a strict matter and will result in a disciplinary investigation being commenced.

Any information sharing with other stakeholders will be conducted with your privacy at the forefront of our considerations, with the NFA Group ensuring that any relevant sharing is in accordance with the General Data Protection Regulation and the Data Protection Act 2018.

In fulfilling our business needs, we may share your information for any of the purposes mentioned above.

Specifically, information may be shared with, but not limited to:

  • Family and representatives of the person whose personal data we are processing
  • Ofsted and Local Authorities
  • police, courts, tribunals and security organisations
  • data processors who work on our behalf (e.g. research companies, training providers, printing services etc.)
  • healthcare professionals, social and welfare organisations
  • independent persons working on our behalf (e.g. sessional support workers, independent review officers, panel members etc.)
  • independent agencies, who may or may not work on your behalf (e.g. Fostering Network, the Independent Review Mechanism, Ombudsmen, Information Commissioners’ Office etc.)

The period for which we will keep your personal information

We will only retain your personal information for as long as it is required in relation to the purposes for which it was originally obtained or based on our legal and regulatory requirements.

How long personal information will be retained for depends on the type of information it is and what it is being used for. For example, if you ask us not to send you marketing emails, we will stop storing your emails for marketing purposes (although we will keep a record of your preference not to be emailed).

Our data retention schedules are currently under revision, for more information email DPO@nfa.co.uk.

Keeping your personal data safe

Personal data held by us electronically are stored on secure computer systems and we control who has access to them. Our staff receive data protection training and we have data protection policies and procedures in place which teams are required to adhere to.

Where we use external companies to collect or process personal data on our behalf, we undertake checks on these companies before we work with them, and establish a contract setting out our expectations and requirements, especially regarding how they manage the personal data they have collected or have access to.

We endeavour to ensure our suppliers do not transfer your personal data outside of regions which do not have adequate Data Protection law. We are a user of the Microsoft Azure platform which utilises data storage within the European Economic Area for our business applications such as Email and NFA World.

Requesting access to your personal data

Under the law, individuals have the right to request access to information about them that we hold. To make a request for your personal information, contact the NFA Group Data Protection Officer at DPO@nfa.co.uk. Please note that we ask you for copies of your identity documents or undertake validation tasks to prove your identity to be eligible to make a request.

If you are considering a request, please make it is as clear, concise and specific as possible as this will allow us to locate the information you are seeking as quickly as we can. Please note that the right of access is not absolute and there may be occasions whereby your data may not be supplied as it is covered by an exemption.

Additional rights under the law

The law provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Information relating to these rights can be found on the ICO’s website

How to contact us and raising a concern

If you would like to discuss anything in this privacy notice, please contact DPO@nfa.co.uk or write to us at Data Protection Officer, NFA Group, 1 Merchants Place, River Street, Bolton, BL2 1BX.

If you have a concern or complaint about the way we are collecting or using your personal data, you should raise your concern with us in the first instance at the contact details above.

Following contact with us, if you remain dissatisfied please note that you have the right to raise a complaint with the ICO. Information on how to raise a complaint can be found at their website

Last updated

We may need to update this privacy notice periodically so we recommend that you revisit this information from time to time. The current version will always be present on our agencies’ websites. This version was last updated June 2019.