Privacy Policy

Judicium Privacy Policy & Data Processing Record

Updated 16 April 2024

BACKGROUND:

 Judicium understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all of our clients, employees and other people with whom we interact with and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.

  1. Information About Us & this Document

This document applies to Judicium Education Ltd and its wholly owned subsidiaries and relates to the data that is shared between its parent company and subsidiaries. The subsidiaries are: Judicium Consulting Limited, Judicium Education Support Services Limited, Judicium UK Work permits Limited and Judicium School Services Limited - together known as ‘Judicium’ or ‘we’. References within the policy to parent company and member companies include Judicium’s parent company, Supporting Education Group and its subsidiaries.

The details of Judicium’s Data Protection Officer are as follows:

  • Data Protection Officer: Craig Stilwell
  • Email address: dataservices@judicium.com
  • Telephone number: 02033 269 174
  • Registered address: 72 Cannon Street, London EC4N 6AE
  • VAT number: 756 2746 05
  1. What Does This Document Cover?

This document explains how Judicium use your personal data: how it is collected, why it is collected, and our lawful reasons for doing so, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.

  1. What is Personal Data?

Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.

The personal data that we hold/process is set out in Paragraph 5, below.

  1. What Are My Rights?

Under the GDPR, you have the following rights, which we will always work to uphold:

  • The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Paragraph 15.
  • The right to access the personal data we hold about you. Paragraph 13 will tell you how to do this.
  • The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Paragraph 15 to find out more.
  • The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have. Please contact us using the details in Paragraph 15 to find out more.
  • The right to restrict (i.e. prevent) the processing of your personal data.
  • The right to object to us using your personal data for a particular purpose or purposes.
  • The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.
  • Rights relating to automated decision-making and profiling. We do not use your personal data in this way.

For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Paragraph 15.

Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.

If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.

  1. What Personal Data Do You Process?

The type of personal data we collect, or process may vary according to the relationship between you and Judicium and according to the service that we provide to you or for your benefit, directly or indirectly. The categories of personal data processed by the various Judicium teams are listed below.

5.1 The Employment & HR Advisory and HR Administration teams may process the data listed below on clients’ employees but only where it is necessary to perform the advisory or consultancy role:

  • Personal information and contact details such as name, title, addresses, date of birth, marital status, phone numbers and personal email addresses;
  • Emergency contact information such as names, relationship, phone numbers and email addresses;
  • Information collected during the recruitment process and retained during employment including references, proof of right to work in the UK, application form, CV, qualifications;
  • Employment contract information such as start dates, hours worked, post, roles ;
  • Education and training details;
  • Details of salary and benefits including payment details, payroll records, tax status information, national insurance number, pension and benefits information;
  • Details of any dependants;
  • Nationality and immigration status and information from related documents, such as your passport or other identification and immigration information;
  • Information in your sickness and absence records such as number of absences and reasons (including sensitive personal information regarding your physical and/or mental health);
  • Racial or ethnic origin, sex and sexual orientation, religious or similar beliefs;
  • Criminal records information as required by law to enable employee to work with children;
  • Trade union membership;
  • Information on grievances raised by or involving the employee;
  • Information on conduct and/or other disciplinary issues involving the employee;
  • Details of appraisals, performance reviews and capability issues;
  • Details of time and attendance records;
  • Information about the use of IT, communications and other systems, and other monitoring information;
  • Details of use of business-related social media;
  • Images of staff captured by the School’s CCTV system;
  • Your use of public social media (only in very limited circumstances, to check specific risks for specific functions within the School);
  • Details in references given/received by or on behalf of the client.

 5.2 School clients may also ask advice which involves our processing of the following categories of data about pupils and parents:

  • Personal information such as name, pupil number, date of birth, gender and contact information;
  • Emergency contact and family lifestyle information such as names, relationship, phone numbers and email addresses;
  • Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility);
  • Attendance details (such as sessions attended, number of absences and reasons for absence);
  • Financial details such as monies owed and financial hardship;
  • Performance and assessment information;
  • Behavioural information (including exclusions);
  • Special educational needs information;
  • Relevant medical information;
  • Special categories of personal data (including biometric data, ethnicity, relevant medical information, special educational needs information);
  • Images of pupils engaging in school activities, and images captured by the School’s CCTV system.

 5.3 School clients may also ask advice which involves our processing or the following categories of data about Governors:

  • Names, addresses and occupations.

5.4 The Legal Support advisory team may process the data listed below but only where it is necessary to perform the advisory or consultancy role:

  • Name and contact information of clients’ vendors and suppliers;
  • Financial and payment details of clients’ vendors and suppliers;
  • The data set out in paragraph 5.1 where a person is making a subject access request;
  • The data set out in paragraph 5.1 where advising on education matters involving pupils and/or parents.

5.5 The Health and Safety team may process the data listed below but only where it is necessary to perform the advisory or consultancy role:

  • Information required to perform a DSE risk assessment including name, and health status;
  • Information required to perform a pregnancy risk assessment including name, and health status;
  • Name and contact information of clients’ vendors and suppliers;
  • Financial and payment details of clients’ vendors and suppliers.

5.6 The School Management team may process the data listed below but only where it is necessary to perform the advisory or consultancy role:

  • The data set out in paragraph 5.1 where necessary to advise on education improvement, clerking or governance, or financial or operational matters of the school and involving employees, suppliers, pupils or parents.

5.7 The Data Protection Officer team may process the data below but only where it is necessary to perform the DPO role.

  • The data set out in paragraph 5.1 where necessary to advise on data protection; matters or in the capacity of the DPO role on matters of the school and involving employees, suppliers, pupils or parents.

 5.8 The Payroll team may process the data listed below but only where it is necessary to perform the role of payroll contractor:

  • Personal information and contact details such as name, title, addresses, date of birth, marital status, phone numbers and personal email addresses;
  • Employment contract information such as start dates, hours worked, post, roles;
  • Details of salary and benefits including payment details, payroll records, tax status information, national insurance number, pension and benefits information;
  • Details of time and attendance records.
5.9 The Immigration team may process the data listed below but only where it is necessary to perform the role of Immigration Consultants:
  • Personal information and contact details such as name, title, addresses, date of birth, marital status, nationality, phone numbers and personal email addresses;
  • Employment history information such as start dates, hours worked, post, roles;
  • Qualifications and work experience and skills;
  • Details of salary and benefits including payment details, payroll records, tax status information, national insurance number, pension and benefits information.
  1. Judicium process personal data on its staff (including temporary staff, casual staff and volunteers) as well as prospective applications. Primarily the following data is processed in order to take a decision on recruitment as well as to comply with an individual’s contract of employment (or take steps before entering into a contract):
  • A job applicant’s CV and any cover wording as well as relevant recruitment checks;
  • Proof of right to work in the UK;
  • Personal information and contact details such as name, title, addresses, date of birth, phone numbers and email address
  • Emergency contact information;
  • Details of sickness and absence;
  • Performance records;
  • Information on conduct (including disciplinary issues) and records of complaints/concerns;
  • Details of salary and benefits including payment details, payroll records, tax status information, national insurance number, pension and benefits information.
  1. Data processed by Supporting Education Group

Supporting Education Group may process personal data where it is necessary to enable the smooth running of Judicium, Supporting Education Group and its subsidiaries. Personal data will consist of names and roles of persons employed by clients of the group which may be shared within the group for the purpose of cross-marketing services.

  1. What is Your Reason for Holding/Processing my Personal Data?

Under the GDPR, we must always have a lawful basis for processing/using personal data. The lawful bases for processing are set out in Article 6 of the GDPR. The reasons why Judicium hold/process your personal data are:

  • Because we need to do so in order to perform a contract that we have with you or are taking steps to enter into with you.
  • Because we have your consent to hold/process your data.
  • Because we have a legal obligation to hold/process the data regardless of whether any contract exists between us.
  • Because we have a legitimate interest in holding/processing your data, or there is a legitimate third party interest and there is not a good reason to protect the individual’s personal data which overrides those legitimate interests.
  1. For What Purpose Do You Use My Personal Data?

The purposes for which Judicium use your personal data may be one or more of the following:

  • Communicating with you to inform you of our services
  • Communicating with you with the purpose of entering into a contract with you
  • Providing, administering and managing our contract with you.
  • Supplying our services to you or for your benefit.
  • Personalising and tailoring our services for you or for your benefit.
  • Communicating with you on matters that may fall outside the immediate contractual obligations but arise in the course of supplying our services to you
  • Advising your employer, where we are engaged as their HR/Employment law advisers or health and safety advisers or School management advisers or data protection advisers or workplace immigration advisers:
    1. on all matters pertaining your employment
    2. On all matters relating to the application and interpretation of health and safety policies and procedures to your employment,
    1. On all matters relating to the application and interpretation of data protection laws to your employment,
    1. On all matters relating to the operational and educational needs of a school, including clerking and governance
    2. On all matters relating to the application and interpretation of immigration laws within the context of your employment or potential employment.
  • Where you are not an employee of a Judicium client, advising our client on the application and interpretation of data protection laws and freedom of information laws within the context of a Subject Access Request you have submitted or a Freedom of Information request you have submitted to our client and where were are acting either as adviser or an Data Protection Officer.
  • Advising you as an individual on the application and interpretation of UK Immigration law within the context of your personal circumstances.
  • Where permitted by law, we may also use your personal data for marketing purposes, which may include contacting you by email and/or telephone and/or text message and/or post with information, news, and offers on our services. You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out.
  • From time to time, Judicium will provide marketing communications to you in various forms. Communication may come from Judicium or through its parent company, the Supporting Education Group(“SEG”) including communications from other companies within SEG. This is in order to provide you with a personalised and targeted service but we also wish for you to have the choice in what communications you receive from us.
  • We follow laws and guidelines when sending marketing communications including:
    1. Sending marketing communications to a work email address where possible
    2. When communicating with a non-work email address, we will ensure that we do so either under the soft opt in principles or with the user’s explicit consent to carry out marketing.
    1. In all instances to provide users with an ability to opt out of marketing. The user can opt out of communications from particular companies within SEG.
    1. When using third party companies to assist with marketing we ensure data collection and use is done in accordance with data protection laws
    2. We never provide your details to third party companies outside of SEG.
  • Such marketing activities may include sending promotional and commercial communications regarding services offered by Judicium and/or SEG. This may include co-marketing or joint sale opportunities, including promotional events, training and webinars.
  • In some cases, personal data that you provide us is done via group company platforms. This data may be shared and combined with personal data collected throughout your relationship with Judicium. Where this is done, it will be communicated to you and, where necessary, obtain your consent before doing so.
  • We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioural metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.
  • Please note that we will use customer data for those who have created an application, opted into marketing messages or requested additional information to evaluate its practices and as a method to improve its services. We use Google systems to help us achieve this and further details on how this is used please see here. This allows us to collect information to enhance performance. To find and control your experience with Google, follow this link.
  1. How Long Will You Keep My Personal Data?

We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):

  • Where the data relates to a contractual relationship between us and you where it may potentially come to be considered evidence in a dispute, we shall keep that data up to six years after that relationship has ended.
  • Where the data consists of information that we are required to retain by law, we shall keep the data as long as we are required to do so.
  • Where there is no contractual relationship between us but there exists a risk of litigation where the data may potential come to be seen as evidence or somehow material, we shall keep the data as long as that risk is live and material.
  • Where the information is required for effective operation of our accounts or business operations we shall keep the data, but no longer than for that required purpose and in accordance with financial best practice requirements.
  • Where the purpose for which the data was lawfully acquired is still live we shall keep the data, but no longer than is required by law.
  1. How and Where Do You Store or Transfer My Personal Data?

We will only store or transfer your personal data within the European Economic Area (the “EEA”). The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein. This means that your personal data will be fully protected under the GDPR or to equivalent standards by law.

  1. Do You Share My Personal Data?

Judicium will not share any of your personal data with any third parties for any purposes, subject to these exceptions:

  • To make effective the objectives of a contract that we have with you or for your benefit;
  • Where we have your consent to share your data; and
  • Where we are legally obliged to do so by statute, a court order or other type of legal obligation.

If any of your personal data is required by a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law, as described above. If in the exceptional circumstance that any personal data is transferred outside of the EEA (where, for instance, a laptop is taken on holiday to US), we will take suitable steps in order to ensure that your personal data is treated safely and securely.

  1. How Can I Access My Personal Data?

If you want to know what personal data Judicium have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.

All subject access requests should be made in writing and sent to the email or postal addresses shown in Paragraph 15.

There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.

We will respond to your subject access request within one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.

  1. How Do I Contact You?

To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details:

  • For the attention of: Craig Stilwell
  • Email address: dataservices@judicium.com
  • Telephone number: 02033 269 174
  • Postal Address: 72 Cannon Street, London EC4N 6AE
  1. Changes to this Privacy Notice

We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection. Any changes will be made available online.