g Malachi
Important Covid-19 update: Click here

Privacy Policy

Who are we

We are Malachi Specialist Family Support Services CIC, whose principal site is at Billesley Ark, 725 Yardley Wood Road, Billesley, Birmingham B13 0PT. We are a Community Interest Company, working with schools, councils and agencies to identify and support families who are facing difficulties. Our Data Protection Officer is New Jubilee Company, and can be contacted via email on DPO@newjubileecompany.com.

What information we process and why

We process personal data relating to our clients, their families, our staff, and our supporters and funders. Our clients include children and young people under the age of 18. We process your personal data so that we can offer services to you, and are able to work with you. Personal data about clients is processed on the basis of informed consent. Personal data about staff and funders is processed on the basis of the contract we have with you.

All data we process is in accordance with the rules as laid down in statute, including the General Data Protection Regulations, and the Data Protection Act 2018. We also follow statutory guidance as laid down in Keeping Children Safe in Education, in order to ensure that safeguarding is a primary concern for all our staff.

Personal data we process about our clients and staff will include some basic details such as names, addresses, contact details and dates of birth. It may also include special categories of data including health information, ethnicity, and religion. We will always ask you if it’s okay to record special categories of information, and you can say no without it affecting the services we provide for you, or the role you carry out for us.

We use personal data about clients to ensure that our workers fully understand who you are, the situations you are facing, and can plan effectively to provide the help and support you need.

We use personal data about our staff to ensure that we can support them in offering services to our clients, and to allow them to perform their professional roles in a secure and safe environment.

Where we rely on consent to process personal data about individuals we work with and provide services for, we ensure that we obtain that consent freely and in a positive manner. Anyone whose personal data is processed on the basis of consent can withdraw that consent easily and quickly.

Who will see your personal data

We will only share your information with people who have a legal or operational reason to see it. For clients, this could include colleagues and managers who are directly involved in planning, providing or supporting your sessions with us. If you are a child, we may share some information with your school or place or learning, if that is appropriate and will help the school plan for your continued attendance and progress within the learning environment. If you are a parent, this could include anyone who needs to be involved in conversations about your child’s progress at their school.

All staff personnel files are held securely by the HR department, and are only available to the HR team and senior management.

In certain circumstances, we may need to share information with partners including the Local Authority, Social Services or the Police. This will only be done where strictly necessary, and the information shared will be limited to what is appropriate to the specific circumstances. This could include any safeguarding concerns we have, or information we believe may indicate that a child could be at risk of harm.

We share some information with our funders, in order to demonstrate to them that we are fulfilling the terms of our contract and using funds appropriately. Any data we share in this way will be anonymised, and in most cases it will not be possible to identify an individual client from the dataset.

What data will be kept

We are required to keep some personal data for a short period of time after we have stopped working with you, either as a client or a colleague. Normally we will keep client files for a maximum of two years after our last contact. After this time they will be securely destroyed.

Any personal data that we are keep about our clients is securely stored on an encrypted database, with limited access for staff. It will not be accessed except in response to a question about what we did in that particular case. No decisions will be made about you based on this data and you will not suffer any detriment or harm by having it stored on our secure systems.

All staff are given a copy of the Policy outlining retention periods for information on their Personnel files. This includes how data is stored, who might access it, and when it will be securely destroyed. We will normally keep staff personnel files for a maximum of two years after the end of employment.

We keep an overall summary of our work and the people with have reached through our services. This information might include numbers of people we’ve worked with, how many sessions we held with them, the outcomes we achieved, and could include some additional categorisation such as gender, age and other special characteristics. This data is anonymised and does not allow us to identify individual clients.

If we share information with the other agencies around safeguarding concerns, they will keep a record of that information. We will keep our copies of that information while you are our client and for two years after the final contact, after which point it will be securely destroyed.

The collection of this information will benefit our services by:




How we will contact you

We will need to contact our clients, our schools and our supporters for a range of reasons. We will only contact you on relevant Malachi business. We will use the contact details that you provide to us as our main source of communication.

Our preferred means of communicating with clients is by telephone and email. We take all due care when sending information out, to ensure that it is only seen by the intended recipients.

Our customers and business contacts

Malachi values the strong professional relationships we have with partner organisations, and the knowledge sharing these professional networks bring. We will never trade or sell organisational data, and will ensure that professional contacts are only used in a professional manner by our staff. Malachi workers will treat the personal data of customers, colleagues and contacts with the same respect and confidentiality they have for client data.

Seeing the information we hold about you

You can ask to see a copy of all the information we hold about you. To do this, you can write to us or email us at enquiry@malachi.org.uk.

Since the work we do with clients is based on consent, you can withdraw that consent at any time. If you do, then we will delete the majority of the data we hold about you, retaining only the minimum information we need for our records and for our internal administration.

If you aren’t happy with the way we use your data, or if you think that you have suffered hard or detriment as a result of how we have used or stored your data, you can make a complaint to the Information Commissioners Office.

Data Protection

Context and overview

Malachi Specialist Family Support Services CIC (“Malachi”) needs to gather and use certain personal information about individuals. This can include clients, customers, staff, funders and business colleagues.

All data must be collected, stored and managed in accordance with UK and EU law, and in line with Malachi’s ethos and values. Individuals retain the rights over their own data at all times. Our use of their data must be fair and lawful, and we must be open and honest about what we do with people's data.

All data we process is in accordance with the rules as laid down in statute and Guidance published by the Department for Education, including the General Data Protection Regulations, the Data Protection Act 2018, Keeping Children Safe in Education 2018, the Children Act 1989 and 2004, the Children and Social Work Act 2017, the Children and Families Act 2014, and Working Together to Safeguard Children 2018.

Key principles



Why this policy exists

This policy will help ensure that Malachi respects the rights of all individuals whose data it collects, including clients, customers, staff, funders and business colleagues. It encompasses legal responsibilities and best practice. By being open and honest with individuals we will demonstrate that people can trust our organisation and that we handle personal data with integrity. Routine application of these principles will also help protect Malachi from the risk of data breaches and unauthorised access to personal information.

Data Protection Law and Principles

The use of personal data is governed by EU and UK law. This is enhanced and explained by case law and best practice.

In order to comply with the law, personal data must be collected fairly and lawfully. It must be stored safely and managed securely. It must not be disclosed to anyone who does not have authority to see it.

The General Data Protection Regulations (GDPR), enacted into UK law as the Data Protection Act 2018, set out how data should be obtained, stored and handled. These regulations set out six principles that underpin lawful use of data. These provide the foundation for good data governance. These principles are enhanced by a range of powers for individuals to control how their data is processed and stored.

Policy Scope

This policy applies to:


Responsibilities under this policy

Everyone who works with or for Malachi has some responsibility for ensuring that data is handled safely, securely and appropriately.

There are key roles within the organisation that carry specific responsibilities.

The Board of Trustees are the strategic lead body for the organisation. They will bear ultimate responsibility for ensuring that all our legal obligations are met. They will be accountable for any failure to abide by the correct regulations and for any impact that they may have on our ability to provide services to the children and families in our community, and our reputation within the sector.

The Chief Executive Officer and Management Team are the operational lead body for the organisation. They must ensure that all relevant policies and procedures are in place, and that practice follows the policy across all teams and working areas. They will liaise with the Data Protection Officer in the event of any data governance issues that require attention, and will have overall responsibility for setting an appropriate tone of respect for personal data within the organisation.

The Data Protection Officer has a key role to play in providing expert advice and guidance to the Board and the Senior Leadership Team. It is their responsibility to update senior management and the Board about Data Protection issues, and update policies and procedures in accordance with an agreed schedule and following legislative and best practice updates. They will oversee training and guidance for all staff, and be responsible for liaison with 3rd party suppliers, contractors and partners if they handle personal data. They will also oversee any Subject Access Requests, and handle the response to any data breaches, including being the point of contact for the public and notifying the ICO where necessary.

The IT Manager is responsible for ensuring the physical and virtual integrity of IT data storage services, systems and equipment. They will ensure all IT security meets acceptable professional standards, appropriate to the needs of the organisation, and that access to all electronic systems, databases or files is managed in accordance with the relevant polices. They will liaise with any 3rd party used for processing data, such as an HR / payroll supplier or cloud computing provider, to ensure appropriate levels of protection for all personal data. They have responsibility for making sure that customer-facing applications such as websites or online forms comply with relevant regulations including cookie policies and privacy notices. They will also oversee the life-cycle of data, software and hardware, ensuring that the processes for deleting or encrypting files in accordance with Retention Policies function effectively.

What is personal data?

Personal data is information about a person - anything that would allow someone to identify a living individual. Processing that data means obtaining, using, and transferring data, and storing it in any system that allows it to be found again, such as a computer database or filing system.

In line with the Data Minimsation principle, Malachi will ensure that any personal data collected is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Our Privacy Notice

Malachi will take all reasonable steps to ensure that individuals are aware their data is being processed. This will include telling individuals what is being used, how it is being used, how long it will be kept for, and how they can exercise their rights in respect of that data.

Our Privacy Notice sets out how we collect data, what data we collect, the lawful basis for that, and how long we retain it. It includes information on who we share data with and the lawful basis for such sharing. It also sets out how people can request copies of data we hold about them. The Notice will be included in any marketing or information literature we produce. It will also be available on request, and on the Malachi website.

Establishing a lawful basis for processing your personal data

Under the Data Protection Act 2018, we need to make clear the lawful basis for every type of data processing we carry out.

The majority of the data we process about clients will fall under the lawful basis of consent. Malachi workers explicitly seek full, informed and positive consent to record personal data, and to keep records of work carried out with clients and their families. All clients sign a consent form, which explains what information is processed and how it might be shared. Where information being processed falls under the ‘special’ categories of personal data, we will make it clear that clients do not have to disclose this information, but failing to do so may reduce the quality of the service we are able to offer.

Clients have the right to withdraw their consent at any time during or after the working relationship. When this happens, Malachi will remove most personal data from our systems. We will only retain the level of information we need for our administration and to enable us to feedback to funders about work we have undertaken. This data processing falls under the category of our legitimate interest in processing data.

Malachi processes the personal data of colleagues in schools, in local authorities, and in partner organisations that work with children and families. This data is processed under the lawful basis of our legitimate interests in being able to contact and communicate with named professionals across the sector.

Staff working with Malachi will have a range of personal data processed by us, to enable us to support their development, keep them and our clients safe, and enable the contractual elements of their employment to be completed. Data we process about potential or current staff falls under the lawful basis of contract. Data we share with regulators and other organisations about our staff, such as PAYE information, falls under the lawful basis of legal obligation. When staff leave Malachi, we will retain certain information about them, based on the lawful basis of our legitimate interest in being able to demonstrate that we have complied with all relevant rules and guidelines during their employment.

Where Malachi need to share information with other professionals or agencies due to concerns about risk of harm to a child or to a vulnerable adult, this falls under the lawful basis of substantial public interest, which is necessary for the purpose of protecting an individual from neglect or physical, mental or emotional harm, or protecting the physical, mental or emotional well-being of an individual.

Keeping personal data secure

Once personal data has been lawfully and fairly collected and processed, it must be safely stored, kept up to date, and safely accessed. Storing data in a way that complies with the regulations is a mix of common sense, clear processes and application of strong IT solutions.

The only people who will have access to personal data at Malachi are those who need it for their work. Our IT systems and file storage will have granular levels of permission, and we will ensure that people only see personal data if required for operational reasons and for the benefit of the children and families they are supporting.

Strong passwords must be used to access electronic resources and IT systems. These should never be shared with other people, or written down. Malachi will set an appropriate password policy and require passwords to be changed on an annual basis.

Personal data must only be disclosed to those who are authorised to see it, both within and outside the organisation. If there is any doubt about the identity the person requesting access to information, or doubt as to whether they should be allowed to see it, Malachi will seek further clarification before disclosing any information.

Data will only be shared with those people who are authorised to see it. This will be in line with our legal obligations and with the lawful and legitimate requirements of the business. Our Privacy Notice explains who we might share data with, the lawful basis for that, and the circumstances in which individuals can object to data being shared.

Full training for all Malachi staff is available. This will help them understand their responsibilities under data protection legislation. Staff should ask their line manager or the Data Protection Officer for guidance if they are unsure about any aspect of data protection.

Data use and transfer

Data must only be used for the purpose it was first obtained. Personal data should not be shared informally, either internally or externally to the organisation.

Staff should follow simple checks when transferring data outside the organisation via post or email, to ensure that personal data goes to the correct recipient. Malachi will use a simple checklist when sending personal data by post, to add an extra layer of security and checking to our data transfers.

Extra care is always taken when sharing data via email. This might include encryption or use of a secure email client. All staff have undertaken training which includes the need to take additional care when using the email system to communicate with individuals and other organisations.

Data should not be stored on personal IT devices. In particular staff must not email work documents to their personal email addresses. If data needs to be transferred outside of the secure work environment, staff should use their Malachi email account, or a secure cloud storage solution provided by the ICT department.

If things go wrong

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Malachi will promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO.

Marketing and Promotion

Malachi carries out a range of marketing and promotional work. This includes promotional literature in schools and other organisations that may wish to use our services. We always ensure that anyone receiving marketing or promotion communications from us has given positive consent to receiving those communications, in the format that we send them out. All such communications will also show clearly how an individual can stop receiving marketing or update information from us.

CCTV at Malachi sites

Malachi uses CCTV cameras at the Billesley Ark site. This is to ensure the safety and security of all those who use or visit our facilities, and to protect the site from damage. Our use of CCTV follows best practice guidelines as laid down by the ICO. You can ask to see CCTV footage in which your image is captured. This should be done in writing as part of a Subject Access Request.

Images recorded by the CCTV cameras are stored on a separate server, in a secure location. They are retained for a maximum of 14 days, after which time they are securely overwritten. Access to the images is restricted to specified people within Malachi. We will only view CCTV footage in response to an incident or an allegation.

The images on our CCTV system are of a sufficient quality to allow us to make out faces of individuals in most circumstances. We are able to take copies of relevant parts of the CCTV footage and store it securely, in order to assist investigations into incidents or allegations. In certain circumstances we may share CCTV footage with partners or other agencies. This may include senior managers or the Police.

Subject Access Requests and your Rights over your data

You have the right to ask to see a copy of any information we hold about you. This is known as a Subject Access Request (SAR). You also have the right to request correction of inaccuracies, and object to processing. To do this, you can write to us, or email us at enquiry@malachi.org.uk.