Privacy Policy

This note is applicable to Kailo. For the #BeeWell survey delivered by Kailo privacy policy, see here.

Kailo is a research partnership, led by UCL alongside Dartington Service Design Lab, University of Exeter, Anna Freud National Centre for Children and Families, Shift and Redthread. We are working initially in two local areas – Newham and North Devon – to explore what matters in relation to young people’s mental health, and to co-design strategies that address the underlying wider determinants of young people’s mental health.

Your privacy is important to Kailo. This data protection Privacy Notice provides information about the different types of personal information that we collect and the ways in which we use it. We process data in different ways depending upon our purpose. For example, if you are a professional, we will process your data differently from that of a young person who is part of a dataset in our design and research work. If in doubt, please feel free to check by contacting us via thomas.booker@ucl.ac.uk

We take the rights and privacy of the people who participate in our design and research project very seriously. This document sets out how we respect and protect your rights at every stage of the design and research process.

1. What is personal data?

‘Personal data’ refers to any information relating to a person who can be directly or indirectly identified by the data. Wherever possible we make the data we hold about individuals anonymous, so they can no longer be identified. In some cases, however, we need to be able to identify individuals. This may be to link information together, or to make follow-up contacts if required.

2. Why do we use personal data?

We hold ourselves to high ethical and legal standards. We only hold and process your personal information when it is necessary to achieve our aim: to improve public services and systems for children and young people.

We believe that good quality data is essential for designing services and systems that work for children and young people. We are required to have a lawful basis to collect and use your personal information. For Kailo, the legal basis for which we are gathering and processing data from professionals, young people and families is a ‘public task’. i.e. the processing of personal data is necessary for the performance of a task carried out in the public interest by the Data Controller for Kailo, UCL. Given that some data will be considered ‘special category’ data (i.e. from young people in relation to personal and sensitive issues, such as race and ethnicity, care status and issues related to mental health), the derogation for research processing set out in the Data Protection Act 2018 will be relied upon (i.e. processing for research and statistical purposes). Furthermore, whilst a ‘public task’ is the legal basis on which data will be processed, in line with best practice for ethical research, for most engagements with young people will also seek active and informed consent to engage in Discovery activities (unless where to do so is not feasible or practical). But we will always share this Privacy Notice to communicate what information is collected, for what purpose, and how it will be used. 

An ethics review committee will review and oversee all Kailo research activities. The ethics committee will ensure that the personal data that we use for research is not used in a way that causes you substantial harm or distress.

We will always tell you which legal basis we are using when we collect and process any personal data about you. You should be given some verbal or written information as you take part in our design and research activities that clearly states the legal basis we are using (this may include an information sheet – or digital link to one – which links to this Privacy Notice). We may, however, keep your personal data indefinitely (if there is a good reason to do so) and we might use your data again for other research. If we do, we will make sure the published results of the research do not identify you (unless you consent to this).

3. What personal information do we use, from whom?

We will always tell you what personal data we hold about you. The exact nature of the personal data we use depends on the specific purposes of our research projects. We will make reasonable efforts to ensure that your personal information is only used for the purposes specified in this data protection policy. For Kailo, we are collecting data from two broad groups of people:

1. From professionals working across Newham, Devon or those working in wider public policy, commissioning, practice or research. 

The legal basis for collecting and processing these data is a ’public task’.
For this group of people, data will be collected through email contacts and via meetings, workshops and events, either through written/types notes or via visual or audio recordings of meetings. If any meetings are recorded, participants will be made aware of this.

The types of data collected will include basic personal data, including name, job title, organisation address, telephone numbers, email address and public social media profile data. We may also collect data about the individual’s organisation, their role within it and who their colleagues are. We will also keep a contact history, including what information has been sent to them; meetings, workshops and events attended; and who was present at these. Information about your computer/ mobile device and your visits to and use of our websites, including, for example, your IP address and geographical location. Finally, we will capture their views and perspectives about the issues discussed at meetings, related to the nature and quality of current systems of support for young people’s mental health and wellbeing (as well as information about current, past or planned initiatives, and what these are, and who they are provided by) and their perspectives on the influences upon young people’s mental health. The EU General Data Protection Regulation (GDPR) recognises certain categories of personal information as sensitive, and therefore requiring more protection. These kinds of ‘special category data’ are often important and necessary for our research and may include: information related to race and ethnicity, or information related to physical or mental health.

2. From young people across Newham and North Devon

For engagements with young people, as with professionals, the legal basis for collecting and processing these data is also a ’public task’. 

Given that some data will be considered ‘special category’ data (from young people in relation to personal and sensitive issues), the derogation for research processing set out in the Data Protection Act 2018 will also be relied upon (i.e. processing for research and statistical purposes).Whilst a ‘public task’ is the legal basis on which data will be processed, in line with best practice for ethical research, for most engagements with young people will also seek active and informed consent to engage in all Discovery activities (unless where to do is not feasible or practical – which may be the case for brief ad-hoc engagements). But we will always share an information sheet (or card with a link to the information sheet), which includes a further link to this Privacy Notice. Together these communicate what information is collection, for what purpose, and how it will be used.

Data from young people will be gathered through a range of mixed methods engagements, including focus groups and small group discussions, interviews, workshops or school/class-based activities. Young people will be engaged through schools, youth centres and other services and agencies, as well as through engagements in public spaces. Information will be provided about the nature of the engagement and data to be gathered and its purpose and current/future uses. Where appropriate and necessary, young people will be given the opportunity to provide consent to take part (or not). Information will be made available to share with parents or caregivers. The types of data collected will also include basic demographic information, such as name, date of birth and contact information.

The EU General Data Protection Regulation (GDPR) recognises certain categories of personal information as sensitive, and therefore requiring more protection. Much of the data collected from young people will fall into this category, as they are from young people, and the nature of the data is sensitive. This information is important and necessary for our research and may include information related to: race and ethnicity, status of care, disability and information related to physical or mental health. As described above, given that some data to be processed will be ‘special category’ data (from young people in relation to personal and sensitive issues), the derogation for research processing set out in the Data Protection Act 2018 will also be relied upon (i.e. processing for research and statistical purposes).

4. What will these data be used for?

These data will be of crucial importance in determining the local priorities for supporting improvements in adolescent mental health, and will also be used to ensure we are considering a diverse range of perspectives and are not perpetuating inequalities in who is heard and contributing. We may also use special category data to make adjustments for any disabilities or dietary requirements you may have when attending our events.

5. When do we collect personal data about you?

We’ll always tell you when we collect personal data about you. We may hold information relating to you from a number of sources, and will collect personal information about you:

6. Securing your personal information

We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. We will store all the personal information you provide on secure servers.

7. Do we share your personal information?

We will not sell, rent or lease your personal information to others.
However, we often work in collaboration with other organisations during our research. Before we share any information we sign a legal document called a Data Sharing Agreement (DSA) with our partners. This ensures our partners keep the same high standards as our own.

We may disclose your personal information to selected third parties such as our partners and collaborators or sub-contractors. The third party in question will have to use any personal data they receive according to our instructions outlined in the Data Sharing Agreement (for the same purposes and nothing else).

We’ll always tell you when we share your personal information with others.

We take technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. We store all the personal information you provide on secure servers. When we do share your personal information, we require the same high standards of our partners. Our staff, associates or contractors who may use your personal data for research are trained and must follow a code of conduct set out in the Data Sharing Agreement.

We will ensure that all of the information we are obliged to share in accordance with article 13 and 14 of the UK GDPR is made available in good time.

We reserve the right to disclose your personal information to third parties:

8. International Data Transfers

As we sometimes use third parties to process personal information, it is possible that personal information we collect from you will be transferred to and stored in a location outside the UK or the European Economic Area (“EEA”).

Please note that certain countries outside of the UK or EEA have a lower standard of protection for personal information, including lower security protections. Where your personal information is transferred, stored, and/or otherwise processed outside the UK or EEA in a country which does not offer an equivalent standard of protection to the UK or EEA, we will take all reasonable steps necessary (including entering into standard contractual clauses to protect your personal information or relying on the Privacy Shield for transfers to organisations in the US) to ensure that the recipient implements appropriate safeguards designed to protect your personal information.

9. How long do we keep your personal information?

We will generally remove your personal information from our records five years after the date at which it is no longer required unless:

10. How we deal with breaches of data protection

If we become aware that there may have been a breach of data protection, we complete a risk assessment led by our data protection officer. This assists us to establish:

Having considered the findings of the assessment, we then decide whether the breach should be reported to the information commissioner’s office. If so, this action is led by our data protection officer. If we decide not to report such a breach, we will record the incident and take remedial action to prevent a similar incident in the future. As a rule, we always report incidents concerning sensitive information. If you are concerned about this, please contact the data protection officer.

11. Your rights

We’ll always tell you what personal information we’re collecting and why. In most cases, we will use consent or legitimate interests as our legal basis for processing your personal data for research. In both cases, you have several rights in relation to the personal data that we hold about you. You can find details of your rights from the Information Commissioner’s Office. Where we rely on your consent to use your personal information, you have the right to:

If you decide you do not want to receive any further emails from the Kailo partnership, please tell us and we will remove you from the mailing list. At any point you can request to unsubscribe from the Kailo mailing list or remove your personal information from the database by contacting us. Please note that when you ask us to delete your personal information, we will maintain a skeleton record comprising your name and organisation to ensure that we do not inadvertently contact you in the future. We may also need to retain some records for statutory purposes. Please note that you also have the right to lodge a complaint about our handling of your personal data with the Information Commissioner’s Office at www.ico.org.uk/concerns

12. Accountability for data processing

The GDPR includes a seventh principle detailed in article(2) of the UK GDPR that requires each data controller to be accountable for their processing of personal information. Accountability requires the controller to effectively demonstrate how it is responsible for processing activities such as how it;

13. Accountability statement

We regularly review our data protection policies, procedures and staff guidance. This helps us to ensure we continue to comply with the law and that our intended processing is both clearly explained, necessary and absolutely transparent. Where we rely on consent, we ensure it is gathered in accordance with the law. When we rely on other conditions, we consider the rights of others before we proceed. We assess the risks we may, from time to time, create when processing data to ensure we uphold the rights and freedoms of every individual. This is especially true when we process data in a new way. We only share data where we have a defined purpose to do so and a data sharing agreement is in place. International transfers are safeguarded with Standard Contractual Clauses where necessary. We keep extensive records of our processing. For example, Activity and Incident logs measure our compliance and help us to identify any weaknesses in our procedures. We actively consider the opinion and advice of others both here, in the EU and beyond. We monitor case law and the guidance of the ICO and the EDPB. We have appointed a Data Protection Officer who is an expert in data protection law and is experienced in the sector in which we work. We positively welcome enquiries from the public concerning their personal information. To ensure we protect personal data we constantly review our security measures, both technical and physical and have instigated appropriate safeguards. This includes regularly training our staff. Access to data is based on the ‘Least Privileged’ principle (POLP). We have appointed an identifiable ’Accountable person’ to oversee our processing.’ We are registered with the ICO as a data controller and have a clear breach reporting policy.

14. Other websites

The Kailo partnership is not responsible for the privacy practices or the content of linked websites. Please review the privacy notices of such websites.

15. Updating this privacy statement

We may update this privacy statement by posting a new version on this website. If we update this privacy statement in a way that significantly changes how we use your personal information, we will use reasonable efforts to bring these changes to your attention where we have your contact details. Otherwise, we would recommend that you periodically review this privacy statement to be aware of any other revisions.

16. Contact details

If you have any concerns about your personal data that we hold, please contact our Data Protection Officer at data-protection@ucl.ac.uk and they will investigate the matter. You can find out more about how we use your information at https://www.ucl.ac.uk/legal-services/data-protection-overview. Information Commissioner’s Office: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-dataprotection- regulation-gdpr/individual-rights/