Privacy Policy
Judicium Privacy Policy & Data Processing Record
Updated 24 February 2025
This privacy notice describes how Judicium Consulting (“the Company”) collects and uses personal information during and after the provision of our services to clients and prospective clients (Data Subjects), in accordance with UK data protection law.
The Company forms part of the Supporting Education Group (SEG) as one of its companies.
The Company together with School Business Services and Neo People operate collectively as the professional services division within SEG (“Professional Services”). There may be occasions when data is shared between the Company, Professional Services and SEG. This is clarified in the relevant sections of this notice.
The UK data protection law consists of the UK General Data Protection Regulation (UK GDPR) which sits alongside an amended version of the Data Protection Act 2018 that relate to general personal data processing, powers of the Information Commissioner’s Office (ICO) and sanctions and enforcement.
It applies to all clients (whether prospective, current or former). Data Subjects may include third parties who are not clients, but whose data is processed through a provision of services to clients e.g. where a client is a school, the Company may process data about staff, pupils or parents.
Who collects this Information?
The Company is a “data controller”. This means that the Company are responsible for deciding how they hold and use personal information about you.
The Company are required under data protection legislation to notify you of the information contained in this privacy notice. This notice does not form part of any contract to provide services, and the Company may update this notice at any time.
Professional Services have a number of central services, including financial, marketing and support services. This means that personal data may be shared within Professional Services in order to provide the required services to you.
It is important that you read this notice with any other policies mentioned within this privacy notice, so that you understand how your information is processed and the procedures taken to protect your personal data.
Data protection principles
The Company will comply with the data protection principles when gathering and using personal information, as set out in the data protection policy.
Categories of information processed and purpose
Personal data is currently defined as information from which an individual can be identified e.g. a client’s full name.
There are “special categories” of more sensitive personal data which require a higher level of protection.
The Company will only use your information when the law allows. Most commonly, your information will be used in the following circumstances:
- Consent: the individual has given clear consent to process their personal data for a specific purpose;
- Contract: the processing is necessary for a contract or to take steps prior to entering into one;
- Legal obligation: the processing is necessary to comply with the law (not including contractual obligations);
- Legitimate Interests: the processing is necessary for your legitimate interests or the legitimate interests of the Company or a third party.
The following categories of personal information and special category data about you may be collected, stored and used for the following purposes:
| Categories of Information | Purpose | Lawful basis |
|---|---|---|
| Accounting and Finance | ||
| Client finance details including payment information, contact details, payment status and correspondence. |
|
|
| Clerking and Governance | ||
| Name, contact details and position, services purchased. |
|
|
| Training records including attendance and completion. |
|
|
| Correspondence history |
|
|
| Information shared as part of meetings including exclusion details, staffing matters. |
|
|
| Documents stored on governor portals. |
|
|
| Data Protection | ||
| Name, contact details and position, services purchased. |
|
|
| Correspondence history |
|
|
| Training records |
|
|
| Facilities Management | ||
| Name, contact details, position, services purchased. |
|
|
| Correspondence history |
|
|
| Training records |
|
|
| Finance | ||
|
Name, contact details, position, services purchased. |
|
|
|
Financial details including payroll records for staff. |
|
|
|
Finance consultancy – summary of client visits, correspondence history and any personal data shared as part of client visits. |
|
|
| Financial Planner | ||
|
Registration details including name, employment information, contact information and level of access. |
|
|
|
Employee records including name, gender, date of birth, employment details, any extended leave and work location. |
|
|
|
Correspondence history |
|
|
| Health and Safety | ||
|
Name, contact details and position, appointment history, services purchased. |
|
|
|
Correspondence history including data shared through correspondence. |
|
|
|
Training records |
|
|
|
Name and position details of responsible person for fire risk assessment. |
|
|
| HLTA Training | ||
|
Name, contact details, position, school details including key postholders. |
|
|
|
Postal address |
|
|
|
HR and Employment Law |
||
|
Name, contact details and position, services purchased. |
|
|
|
Correspondence history including employment information and records shared as part of these discussions. |
|
|
|
Training records |
Ensure suitable completion of HR and employment law training. |
|
|
Initial employee details such as name, address, contract changes, salary details and position. |
|
|
|
Details provided as part of a DBS application including names and identifiers, identification, address history and self-disclosure of criminal history. Results from DBS checks including criminal offence data |
|
|
|
Details provided as part of online check service. Including name, position, contact details, address, place of birth and nationality. Result of check including evidence of online activity. |
|
|
|
Data provided as part of consultancy service delivery such as mediation and investigations. |
|
|
|
Records required in order to manage ongoing litigation services. |
|
|
|
ICT |
||
|
Name, contact details, position, services purchased. |
|
|
|
Personal data provided whilst handling a client issue – account details, service issues, contact information. |
|
|
|
Remote access to a user’s system – this may involve viewing personal data shared by the user. |
|
|
|
Correspondence history |
|
|
|
Data provided in service logs – such as individual user issues |
|
|
|
Personal data supplied as part of an agreed service project (such as audits or server migration). |
|
|
|
Internal Scrutiny |
||
|
Name, contact details and position, services purchased. |
|
|
|
Staff and student details shared as part of the audit process (such as details on single central record, employment contracts, payroll details). |
|
|
|
Personal data shared as part of the planning process |
|
|
|
MIS |
||
|
List of school support users including name, email address, contact number and position. |
|
|
|
MIS system access including where required taking copies of data. |
|
|
|
Helpdesk records and correspondence history |
|
|
|
Data provided as part of consultancy service delivery |
|
|
|
Training records including name, attendance and completion. |
|
|
|
Payroll |
||
|
Salary and finance records including name, date of birth, gender, service dates, employment details, salary, tax and pension records. |
|
|
|
Employee data provided as part of ongoing reporting. |
|
|
|
Employee data sharing with relevant third party organisations – for example pension contributions, union payments, deduction of earning payments, tax details. |
|
|
|
Staff absence reporting. |
|
|
|
Data shared by client to maintain a HR system – for example qualifications, health data, ethnicity. |
|
|
|
Correspondence history |
|
|
|
Safeguarding, Supervision and SEND |
||
|
Name, contact details and position, services purchased. |
|
|
|
Correspondence history |
|
|
|
Training records |
|
|
|
Documents viewed during audit including safeguarding records and single central record. |
|
|
|
Anonymise responses to safeguarding and SEND questionnaires. |
|
|
|
Data collected as part of supervision services including meeting notes and any data shared. |
|
|
|
Sales and Marketing |
||
|
Name, contact details, position, correspondence history. |
|
|
|
Receiving contact details from external marketing campaigns |
|
|
|
Records of subscription preferences and opt-outs. |
|
|
|
Website enquiries, sofa session and CFO/COO insider feedback including name, contact details, details of enquiry. |
|
|
|
Work Permits |
||
|
Client details including name, contact details. |
|
|
|
Data required to complete and process visa and immigration applications including identifiers, bank statements, dependents and relationships, identification documents, work details, travel history. |
|
|
|
Data provided in completion of a sponsor licence including banking records of named individuals. |
|
|
|
Correspondence history |
|
|
|
Consultation meeting notes advising on visa viability. |
|
|
How this information is collected
Personal data is most commonly collected directly from clients, for example, when an enquiry is made about services, or in the normal course of the provision of services to clients.
However, information may also be collected:
- from publicly accessible sources, e.g., Companies House or HM Land Registry;
- directly from a third party, e.g.,: customer due diligence providers or marketing agencies;
- from a third party with your consent, e.g., your bank;
- on the Company website — such as enquiry forms or through the use of cookies. For more information on use of cookies, please see the Company cookie policy which is available on the website.
Sensitive information
Sensitive personal information (as defined under the UK GDPR as “special category data”) require higher levels of protection and further justification for collecting, storing and using this type of personal information. The Company may process this data in the following circumstances:
- In limited circumstances, with your explicit written consent;
- Where the Company need to carry out our legal obligations in line with our data protection policy;
- Where it is needed in the public interest, such as for equal opportunities monitoring or for regulatory requirements;
- Less commonly, processing this type of information where it is needed in relation to legal claims or where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent.
Marketing
From time to time, the Company will provide marketing communications to you. This is in order to provide you with a personalised and targeted service and to allow you the choice in what communications you receive.
Communication may come from the Company, Professional Services or the Supporting Education Group (“SEG”) including communications from other companies within SEG.
The content of these communications will include providing:- Updates about progress of the Company, Professional Services, SEG and its group companies.
- Details about services offered by the Company, SEG and its group companies.
- Subscription services such as weekly updates and newsletters.
- Opportunities and events promoted by the Company, Professional Services, SEG and its group companies such as research programmes, webinars and training sessions.
The Company have a legitimate interest in using your personal data for marketing purposes and do not usually need your consent to send marketing information.
The Company follow laws and guidelines when sending marketing communications including: -- Sending marketing communications to a work email address where possible.
- When communicating with a non-work email address, to do so with a lawful basis (either under legitimate interests or with the user’s explicit consent to carry out marketing).
- In all instances to provide users with an ability to opt out of marketing.
- When using third party companies to assist with marketing to ensure data collection and use is done in accordance with data protection laws.
- Not providing your details to third party companies outside of SEG.
Such marketing activities may include sending promotional and commercial communications regarding services offered by the Company, Professional Services, SEG and/or its group companies. This may include co-marketing or joint sale opportunities, including promotional events, training and webinars.
In some cases, personal data that you provide is done via group company platforms. This data may be shared and combined with personal data collected throughout your relationship with the Company. Where this is done, it will be communicated to you.
Automated decision making
Automated decision making takes place when an electronic system uses personal information to make a decision without human intervention. Automated decision making can be used in limited circumstances.
- Where the Data Subject is notified of the decision and given 21 days to request a reconsideration.
- Where it is necessary in performance of the contract with the Data Subject and appropriate measures are in place to safeguard their rights
- With the explicit written consent of the Data Subject and where appropriate measures are in place to safeguard their rights
If automated decision making is made in relation to Data Subjects using special category data, there will either be explicit written consent of the Data Subject or it must be justified in the public interest.
Currently the Company do not undertake decisions about clients using automated means.
Sharing data
The Company may need to share your data with third parties, including third party service providers where required by law, where it is necessary to administer the working relationship with you or where there is another legitimate interest in doing so.
These include sharing data with the following:
- The Supporting Education Group;
- Professional Services;
- Third parties used to help deliver products and services to you;
- Third parties used to help the Company operate (such as website hosts);
- Third parties used to provide marketing assistance;
- Third parties used to facilitate compliance with support services (for example MIS providers to help comply with MIS support requests);
- Insurers and brokers;
- Professional advisors;
- External auditors;
- Law enforcement agencies, courts, tribunals and regulatory bodies;
- Banks.
Information will be provided to those agencies securely, or if possible in an anonymised format.
The recipient of the information will be bound by confidentiality obligations and are required to respect the security of your data and treat it in accordance with the law.
International Data Transfers
The Company do not transfer your personal data outside of the UK/EEA. However, should the need arise to transfer data outside of the EEA, the Company shall either share with a country which has received an appropriate adequacy decision or will ensure that there are safeguards in place to provide appropriate levels of protection.
Security
The Company have put in place measures to protect the security of your information (i.e. against it being accidentally lost, used or accessed in an unauthorised way). In addition, access is limited to your personal information to those employees, agents, contractors and other third parties who have a business need to know. Details of these measures are available on request.
Retention
Personal information is retained about clients for as long as necessary to fulfil the purposes it is collected for, including for the purposes of satisfying any legal, accounting, or reporting requirements. This retention period will in most cases be as long as you are a client.
Details of retention periods for different aspects of personal information about Data Subjects are in the Company’s data retention policy which is available upon request.
To determine the appropriate retention period for personal data, the Company consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which personal data is processed and whether those purposes can be achieved through other means, and the applicable legal requirements.
Your Rights of Access, Correction, Erasure and Restriction
Under certain circumstances, by law you have the right to:- Access your personal information (commonly known as a “subject access request”). This allows you to receive a copy of the personal information held about you and to check it is lawfully processed. You will not have to pay a fee to access your personal information. However, a reasonable fee may be charged if your request for access is clearly unfounded or excessive. Alternatively, there maybe grounds to refuse to comply with the request in such circumstances.
- Correction of the personal information held about you. This enables you to have any inaccurate information held about you corrected.
- Erasure of your personal information. You can ask to delete or remove personal data if there is no good reason to continue to process it.
- Restriction of processing your personal information. You can ask to suspend processing personal information about you in certain circumstances, for example, if you want to establish its accuracy before processing it.
- To object to processing in certain circumstances (for example for direct marketing purposes).
- To transfer your personal information to another party.
If you want to exercise any of the above rights, please contact the Company’s data protection officers, Judicium Consulting in writing by emailing dataservices@judicium.com.
The Company may need to request specific information from you to help confirm your identity and ensure your right to access the information (or to exercise any of your other rights).
Right to Withdraw Consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact marketing@judicium.com. Once notification has been received that you have withdrawn your consent, the Company will no longer process your information for the purpose or purposes you originally agreed to, unless there is another legitimate basis for doing so in law.
How to Raise a Concern
The Company have appointed a data protection officer (DPO) to oversee compliance with data protection and this privacy notice. If you have any questions about how your personal information is handled which cannot be resolved by the Company in the first instance then you can contact the DPO on the details below: -
Data Protection Officer: Judicium Consulting Limited
Address: 72 Cannon Street, London, EC4N 6AE
Email: dataservices@judicium.com
Web: www.judiciumeducation.co.uk
You have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues.
Changes to this Privacy Notice
The Company reserve the right to update this privacy notice at any time and will provide you with a new privacy notice when making any substantial updates. The Company may also notify you in other ways from time to time about the processing of your personal information.