top of page

​​

Ashiana is committed to protecting the personal data of children, young adults with learning difficulties, their families, and all stakeholders. This policy outlines how we collect, use, and protect personal data in line with the General Data Protection Regulation (GDPR). It applies to all staff, volunteers, trustees, and partners.

​

1. Key Definitions

 

  • Personal Data: Info that can identify someone (e.g., names, contact info, medical history).

  • Sensitive Data: Includes health, disability, or ethnicity – requires extra protection.

 

2. Our GDPR Principles

We ensure personal data is lawfully & transparently processed

    a. Used for Legitimate Purposed

    b. Minimised to what is necessary

    c. Accurate & Up to Date

    d. Retained Only as Long as Needed

    e. Securely Stored & Handled

 

4. Lawful Basis for Processing

We process personal data based on:

 

  • Consent

  • Contractual Necessity

  • Legal Obligation

  • Legitimate Interests

 

Sensitive data is only processed with explicit consent or for essential care and support purposes.

 

5. What Data We Collect & Why

We may collect:

 

  • Service Users: Names, contact info, health, education needs.

  • Parents/Guardians: Contact and emergency details.

  • Staff/Volunteers: Employment info, payroll, background checks.

 

Used to:

 

  • Deliver services and ensure safety.

  • Communicate with families and stakeholders.

  • Manage staff recruitment and obligations.

 

6. Your Data Rights

Under GDPR, individuals have the right to:

   a. Access their data.

   b. Request Corrections

   c. Request Deletion (with exceptions)

   d. Restrict Processing

   e. Data Portability

   f. Object to Processing

   g. Avoid Automated Decisions

 

7. Data Security

We use strong measures to keep data safe:

 

  • Physical Security: Locked storage, limited access.

  • Digital Security: Encryption, firewalls, secure systems.

  • Training: Staff are trained in GDPR and data handling.

  • Breach Response: We follow GDPR protocols, including notifying authorities within 72 hours if required.

 

8. Data Retention

Data is kept only as long as necessary. Once no longer needed, it will be securely deleted.

​

9. Sharing Data

We only share personal data with third parties if legally required or with appropriate consent.

bottom of page