Kailo is a research partnership, led by UCL alongside Dartington Service Design Lab, University of Exeter, Anna Freud National Centre for Children and Families, Shift and Redthread. We are working initially in two local areas – Newham and North Devon – to explore what matters in relation to young people’s mental health, and to co-design strategies that address the underlying wider determinants of young people’s mental health.
Your privacy is important to Kailo. This data protection Privacy Notice provides information about the different types of personal information that we collect and the ways in which we use it. We process data in different ways depending upon our purpose. For example, if you are a professional, we will process your data differently from that of a young person who is part of a dataset in our design and research work. If in doubt, please feel free to check by contacting us via firstname.lastname@example.org
We take the rights and privacy of the people who participate in our design and research project very seriously. This document sets out how we respect and protect your rights at every stage of the design and research process.
1. What is personal data?
‘Personal data’ refers to any information relating to a person who can be directly or indirectly identified by the data. Wherever possible we make the data we hold about individuals anonymous, so they can no longer be identified. In some cases, however, we need to be able to identify individuals. This may be to link information together, or to make follow-up contacts if required.
2. Why do we use personal data?
We hold ourselves to high ethical and legal standards. We only hold and process your personal information when it is necessary to achieve our aim: to improve public services and systems for children and young people.
We believe that good quality data is essential for designing services and systems that work for children and young people. We are required to have a lawful basis to collect and use your personal information. For Kailo, the legal basis for which we are gathering and processing data from professionals, young people and families is a ‘public task’. i.e. the processing of personal data is necessary for the performance of a task carried out in the public interest by the Data Controller for Kailo, UCL. Given that some data will be considered ‘special category’ data (i.e. from young people in relation to personal and sensitive issues, such as race and ethnicity, care status and issues related to mental health), the derogation for research processing set out in the Data Protection Act 2018 will be relied upon (i.e. processing for research and statistical purposes). Furthermore, whilst a ‘public task’ is the legal basis on which data will be processed, in line with best practice for ethical research, for most engagements with young people will also seek active and informed consent to engage in Discovery activities (unless where to do so is not feasible or practical). But we will always share this Privacy Notice to communicate what information is collected, for what purpose, and how it will be used.
An ethics review committee will review and oversee all Kailo research activities. The ethics committee will ensure that the personal data that we use for research is not used in a way that causes you substantial harm or distress.
We will always tell you which legal basis we are using when we collect and process any personal data about you. You should be given some verbal or written information as you take part in our design and research activities that clearly states the legal basis we are using (this may include an information sheet – or digital link to one – which links to this Privacy Notice). We may, however, keep your personal data indefinitely (if there is a good reason to do so) and we might use your data again for other research. If we do, we will make sure the published results of the research do not identify you (unless you consent to this).
3. What personal information do we use, from whom?
We will always tell you what personal data we hold about you. The exact nature of the personal data we use depends on the specific purposes of our research projects. We will make reasonable efforts to ensure that your personal information is only used for the purposes specified in this data protection policy. For Kailo, we are collecting data from two broad groups of people:
1. From professionals working across Newham, Devon or those working in wider public policy, commissioning, practice or research.
The legal basis for collecting and processing these data is a ’public task’.
For this group of people, data will be collected through email contacts and via meetings, workshops and events, either through written/types notes or via visual or audio recordings of meetings. If any meetings are recorded, participants will be made aware of this.
The types of data collected will include basic personal data, including name, job title, organisation address, telephone numbers, email address and public social media profile data. We may also collect data about the individual’s organisation, their role within it and who their colleagues are. We will also keep a contact history, including what information has been sent to them; meetings, workshops and events attended; and who was present at these. Information about your computer/ mobile device and your visits to and use of our websites, including, for example, your IP address and geographical location. Finally, we will capture their views and perspectives about the issues discussed at meetings, related to the nature and quality of current systems of support for young people’s mental health and wellbeing (as well as information about current, past or planned initiatives, and what these are, and who they are provided by) and their perspectives on the influences upon young people’s mental health. The EU General Data Protection Regulation (GDPR) recognises certain categories of personal information as sensitive, and therefore requiring more protection. These kinds of ‘special category data’ are often important and necessary for our research and may include: information related to race and ethnicity, or information related to physical or mental health.
2. From young people across Newham and North Devon
For engagements with young people, as with professionals, the legal basis for collecting and processing these data is also a ’public task’.
Given that some data will be considered ‘special category’ data (from young people in relation to personal and sensitive issues), the derogation for research processing set out in the Data Protection Act 2018 will also be relied upon (i.e. processing for research and statistical purposes).Whilst a ‘public task’ is the legal basis on which data will be processed, in line with best practice for ethical research, for most engagements with young people will also seek active and informed consent to engage in all Discovery activities (unless where to do is not feasible or practical – which may be the case for brief ad-hoc engagements). But we will always share an information sheet (or card with a link to the information sheet), which includes a further link to this Privacy Notice. Together these communicate what information is collection, for what purpose, and how it will be used.
Data from young people will be gathered through a range of mixed methods engagements, including focus groups and small group discussions, interviews, workshops or school/class-based activities. Young people will be engaged through schools, youth centres and other services and agencies, as well as through engagements in public spaces. Information will be provided about the nature of the engagement and data to be gathered and its purpose and current/future uses. Where appropriate and necessary, young people will be given the opportunity to provide consent to take part (or not). Information will be made available to share with parents or caregivers. The types of data collected will also include basic demographic information, such as name, date of birth and contact information.
The EU General Data Protection Regulation (GDPR) recognises certain categories of personal information as sensitive, and therefore requiring more protection. Much of the data collected from young people will fall into this category, as they are from young people, and the nature of the data is sensitive. This information is important and necessary for our research and may include information related to: race and ethnicity, status of care, disability and information related to physical or mental health. As described above, given that some data to be processed will be ‘special category’ data (from young people in relation to personal and sensitive issues), the derogation for research processing set out in the Data Protection Act 2018 will also be relied upon (i.e. processing for research and statistical purposes).
4. What will these data be used for?
These data will be of crucial importance in determining the local priorities for supporting improvements in adolescent mental health, and will also be used to ensure we are considering a diverse range of perspectives and are not perpetuating inequalities in who is heard and contributing. We may also use special category data to make adjustments for any disabilities or dietary requirements you may have when attending our events.
5. When do we collect personal data about you?
We’ll always tell you when we collect personal data about you. We may hold information relating to you from a number of sources, and will collect personal information about you:
- When you give it to us directly: For example, personal information that you share with us when participating in research questionnaires and interviews.
- When we obtain it indirectly: Your personal information may be shared with us by our partners, or we may access personal information by linking some of your personal information we hold with other collections of data.
- When it is publicly available: Your personal data may be available to us from external, publicly available sources.
6. Securing your personal information
We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. We will store all the personal information you provide on secure servers.
7. Do we share your personal information?
We will not sell, rent or lease your personal information to others.
However, we often work in collaboration with other organisations during our research. Before we share any information we sign a legal document called a Data Sharing Agreement (DSA) with our partners. This ensures our partners keep the same high standards as our own.
We may disclose your personal information to selected third parties such as our partners and collaborators or sub-contractors. The third party in question will have to use any personal data they receive according to our instructions outlined in the Data Sharing Agreement (for the same purposes and nothing else).
We’ll always tell you when we share your personal information with others.
We take technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. We store all the personal information you provide on secure servers. When we do share your personal information, we require the same high standards of our partners. Our staff, associates or contractors who may use your personal data for research are trained and must follow a code of conduct set out in the Data Sharing Agreement.
We will ensure that all of the information we are obliged to share in accordance with article 13 and 14 of the UK GDPR is made available in good time.
We reserve the right to disclose your personal information to third parties:
- In the event that we buy or sell any business or assets, in which case we will disclose your personal information to the prospective buyer or seller or such business or assets;
- If substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets;
- If we are under any legal or regulatory obligation to do so (for example, if we are concerned about your safety or welfare)
- In connection with any legal proceedings or prospective legal proceedings, in order to establish, exercise or defend our legal rights.
8. International Data Transfers
As we sometimes use third parties to process personal information, it is possible that personal information we collect from you will be transferred to and stored in a location outside the UK or the European Economic Area (“EEA”).
Please note that certain countries outside of the UK or EEA have a lower standard of protection for personal information, including lower security protections. Where your personal information is transferred, stored, and/or otherwise processed outside the UK or EEA in a country which does not offer an equivalent standard of protection to the UK or EEA, we will take all reasonable steps necessary (including entering into standard contractual clauses to protect your personal information or relying on the Privacy Shield for transfers to organisations in the US) to ensure that the recipient implements appropriate safeguards designed to protect your personal information.
9. How long do we keep your personal information?
We will generally remove your personal information from our records five years after the date at which it is no longer required unless:
- We are required to hold for longer for legal or regulatory purposes; or
- it is still required in connection with the purpose for which it was collected and/or processed. However, we will remove your personal information from our records before this date if we become aware that:
- Your personal information is no longer required in connection with such purpose(s);
- We are no longer lawfully entitled to process it; or
- You validly exercise one of your right of erasure under Article 17 of the UK GDPR legislation.
10. How we deal with breaches of data protection
If we become aware that there may have been a breach of data protection, we complete a risk assessment led by our data protection officer. This assists us to establish:
- There a reasonable degree of certainty the breach includes personal information;
- The level and severity of the breach;
- Does the breach include sensitive information such as details about individual’s health;
- Does the breach mean;
○ The subject has lost control of their personal information;
○ Whether they may be affected economically;
○ Whether the breach may cause them distress;
○ Are the data subjects concerned potentially vulnerable or at risk;
○ Could there be humiliation or discrimination to the individuals concerned?
Having considered the findings of the assessment, we then decide whether the breach should be reported to the information commissioner’s office. If so, this action is led by our data protection officer. If we decide not to report such a breach, we will record the incident and take remedial action to prevent a similar incident in the future. As a rule, we always report incidents concerning sensitive information. If you are concerned about this, please contact the data protection officer.
11. Your rights
We’ll always tell you what personal information we’re collecting and why. In most cases, we will use consent or legitimate interests as our legal basis for processing your personal data for research. In both cases, you have several rights in relation to the personal data that we hold about you. You can find details of your rights from the Information Commissioner’s Office. Where we rely on your consent to use your personal information, you have the right to:
- Ask us for confirmation of what personal information we hold about you, and to request a copy of that information. If we are satisfied that you have a legal entitlement to see this personal information, and we are able to confirm your identity, we may provide you with this information;
- Request that we delete the personal information we hold about you, as far as we are legally required to do so;
- Ask that we correct any personal information that we hold about you which you believe to be inaccurate.
- Object to the processing of your personal information where we process on the basis of the legitimate interest ground;
- Use the personal information for direct marketing;
- Ask for the provision of your personal information in a machine-readable format to either yourself or a third party, provided that the personal information in question has been provided to us by you, and is being processed by us:
- Ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
If you decide you do not want to receive any further emails from the Kailo partnership, please tell us and we will remove you from the mailing list. At any point you can request to unsubscribe from the Kailo mailing list or remove your personal information from the database by contacting us. Please note that when you ask us to delete your personal information, we will maintain a skeleton record comprising your name and organisation to ensure that we do not inadvertently contact you in the future. We may also need to retain some records for statutory purposes. Please note that you also have the right to lodge a complaint about our handling of your personal data with the Information Commissioner’s Office at www.ico.org.uk/concerns
12. Accountability for data processing
The GDPR includes a seventh principle detailed in article(2) of the UK GDPR that requires each data controller to be accountable for their processing of personal information. Accountability requires the controller to effectively demonstrate how it is responsible for processing activities such as how it;
- Ensures transparency;
- Has legitimate purposes for processing;
- Processes the minimum of data it requires;
- Keeps data up to date and only processes data that is accurate;
- Only keeps information for as long as is required;
- Developed and maintain a sustainably and appropriate security protocol.
13. Accountability statement
We regularly review our data protection policies, procedures and staff guidance. This helps us to ensure we continue to comply with the law and that our intended processing is both clearly explained, necessary and absolutely transparent. Where we rely on consent, we ensure it is gathered in accordance with the law. When we rely on other conditions, we consider the rights of others before we proceed. We assess the risks we may, from time to time, create when processing data to ensure we uphold the rights and freedoms of every individual. This is especially true when we process data in a new way. We only share data where we have a defined purpose to do so and a data sharing agreement is in place. International transfers are safeguarded with Standard Contractual Clauses where necessary. We keep extensive records of our processing. For example, Activity and Incident logs measure our compliance and help us to identify any weaknesses in our procedures. We actively consider the opinion and advice of others both here, in the EU and beyond. We monitor case law and the guidance of the ICO and the EDPB. We have appointed a Data Protection Officer who is an expert in data protection law and is experienced in the sector in which we work. We positively welcome enquiries from the public concerning their personal information. To ensure we protect personal data we constantly review our security measures, both technical and physical and have instigated appropriate safeguards. This includes regularly training our staff. Access to data is based on the ‘Least Privileged’ principle (POLP). We have appointed an identifiable ’Accountable person’ to oversee our processing.’ We are registered with the ICO as a data controller and have a clear breach reporting policy.
14. Other websites
The Kailo partnership is not responsible for the privacy practices or the content of linked websites. Please review the privacy notices of such websites.
15. Updating this privacy statement
We may update this privacy statement by posting a new version on this website. If we update this privacy statement in a way that significantly changes how we use your personal information, we will use reasonable efforts to bring these changes to your attention where we have your contact details. Otherwise, we would recommend that you periodically review this privacy statement to be aware of any other revisions.
16. Contact details
If you have any concerns about your personal data that we hold, please contact our Data Protection Officer at email@example.com and they will investigate the matter. You can find out more about how we use your information at https://www.ucl.ac.uk/legal-services/data-protection-overview. Information Commissioner’s Office: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-dataprotection- regulation-gdpr/individual-rights/