TACT (Telford After Care Team)
Version 2.0  |  Effective: May 2026  |  Next review: May 2027
TACT (Telford After Care Team) is committed to protecting the privacy, dignity and confidentiality of all individuals whose information we process. This privacy notice explains how we collect, use, store and protect personal information in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations (PECR) and other applicable legislation.
This notice applies to:
  • service users (adults aged 18 and over)
  • people making referrals
  • employees
  • volunteers
  • trustees
  • contractors
  • applicants
  • website users
  • donors and supporters
  • partner agencies and professionals
TACT provides services to adults only. We do not knowingly collect or process personal information about children under the age of 18.
Because of the nature of our work, TACT may process sensitive personal information, including information relating to health, safeguarding, addiction, trauma, housing needs and criminal offence history.

1. Who We Are

TACT (Telford After Care Team) is the data controller responsible for the personal information we process.
Registered address: Strickland House, The Lawns, Wellington, Telford, TF1 3BX
Telephone: 01952 899204
Email: business.services@tacteam.org.uk
ICO registration number: ZB876865
Data Protection Lead
TACT has assessed its requirement to appoint a statutory Data Protection Officer (DPO) under Article 37 UK GDPR. Day-to-day responsibility for data protection compliance sits with the Operations Manager, who is the initial point of contact for all data protection queries, complaints and rights requests.
Contact: business.services@tacteam.org.uk
DPO: Laura Doran – next review of this will be in May 2027

2. The Information We Collect

Depending on the nature of your involvement with TACT, we may collect and process the following categories of personal information:
Personal Information
  • name
  • address
  • date of birth
  • telephone number
  • email address
  • gender
  • emergency contact information
  • next of kin information
  • photographs or video footage where appropriate (including through CCTV — see Section 12)
  • referral details
  • support history
  • tenancy or housing information
Support and Service Information
  • support plans
  • case notes
  • engagement records
  • safeguarding concerns (adults at risk)
  • attendance records
  • incident and accident reports
  • risk assessments
  • support outcomes
  • appointment information
  • communication records
Special Category Information
We may process sensitive personal information including:
  • physical health information
  • mental health information
  • disability or neurodiversity information
  • addiction or substance misuse information
  • trauma-related information
  • sexual abuse or sexual violence disclosures
  • ethnicity
  • religious beliefs where relevant to support
  • information relating to wellbeing or vulnerability
Criminal Offence Information
Where lawful and necessary, we may process information relating to:
  • criminal convictions or cautions
  • offending history
  • probation involvement
  • court orders
  • risk management information
Processing of criminal offence data is carried out only under the conditions set out in Schedule 1 of the DPA 2018, and TACT maintains an Appropriate Policy Document (APD) as required by paragraph 5 of Schedule 1. A copy of the APD is available on request.
Employee and Volunteer Information
Where applicable, we may process:
  • payroll information
  • bank details
  • pension information
  • DBS information
  • recruitment records
  • sickness records
  • training records
  • disciplinary or grievance records
  • right to work documentation
  • health information
Financial Information
  • invoices
  • payment records
  • donation information
  • banking information
  • financial transaction records
Website Information
  • IP address
  • browser and device information
  • cookies and analytics information
  • website usage information

3. How We Collect Information

We may collect information:
  • directly from you
  • through referral forms
  • through our website
  • through staff or volunteers
  • from local authorities
  • from NHS services
  • from probation or criminal justice agencies
  • from partner agencies
  • from housing providers
  • from emergency contacts or advocates where appropriate
  • during support sessions or ongoing engagement
Information Received from Third Parties
Where we receive information about you from a third party (for example, a referring agency, probation officer or local authority), we will, where required by Article 14 UK GDPR, inform you within one month of the categories of information received and the source. Information received from third parties is limited to what is necessary to assess suitability and provide safe, effective support.

4. Why We Process Personal Information

We process personal information in order to:
  • assess referrals and suitability for services
  • provide support, recovery and housing services
  • safeguard adults at risk
  • manage risks and incidents
  • coordinate support with partner agencies
  • maintain accurate service records
  • fulfil contractual and funding obligations
  • manage employees and volunteers
  • process payroll and financial transactions
  • monitor and improve services
  • investigate complaints or incidents
  • comply with legal and regulatory obligations
  • protect service users, staff, volunteers and the public
Consequences of Not Providing Information
Where personal information is required by law or by contract (for example, to assess a referral, deliver a regulated support service, process payroll, or complete pre-employment checks such as right-to-work or DBS), we may be unable to provide the service, employment or other arrangement if the information is not provided. We will tell you at the point of collection where information is mandatory and what the consequences of not providing it are.

5. Lawful Bases for Processing

Under Article 6 UK GDPR, we rely on one or more of the following lawful bases depending on the activity. The table below summarises how we match each main category of processing to its lawful basis.
Processing activityArticle 6 basisArticle 9 / Schedule 1 condition (special category)
Providing support, recovery, and housing services to service usersPublic task / legitimate interests / contractProvision of health or social care (Art 9(2)(h)); substantial public interest — support of individuals with a particular disability or medical condition (Sch 1, Part 2, para 16)
Safeguarding adults at riskLegal obligation / vital interests / public taskSafeguarding of adults at risk (Sch 1, Part 2, para 18); vital interests (Art 9(2)(c))
Managing employees, payroll, pensionsContract / legal obligationEmployment, social security and social protection (Sch 1, Part 1, para 1); Art 9(2)(b)
Recruitment and DBS checksLegal obligation / legitimate interestsPreventing or detecting unlawful acts; Sch 1, Part 2, para 10 (criminal offence data)
Fundraising, donations and supporter communicationsLegitimate interests / consent (for electronic marketing under PECR)Not applicable unless special category data is processed
Website analytics and non-essential cookiesConsent (PECR)Not applicable
Compliance with legal, regulatory and funder reportingLegal obligationVarious Sch 1 conditions as applicable

Where criminal offence information is processed, this is done only where lawful, necessary and proportionate under Schedule 1 of the DPA 2018, supported by our Appropriate Policy Document.
Where we rely on consent, you have the right to withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Where we rely on legitimate interests, we have completed a Legitimate Interests Assessment (LIA) which balances our interests against your rights and freedoms. A summary is available on request.

6. Information Sharing

We only share personal information where necessary, proportionate and lawful. Depending on the circumstances, we may share information with:
  • local authorities
  • NHS services
  • safeguarding teams (adults)
  • probation or criminal justice agencies
  • commissioners and funders
  • housing providers
  • emergency services
  • regulatory bodies (including the Care Quality Commission, Charity Commission, and ICO where required)
  • professional advisors (legal, audit, insurance)
  • partner agencies involved in providing support
Information may also be shared:
  • where there is a safeguarding concern relating to an adult at risk
  • where there is a serious risk of harm to any individual
  • where required by law or court order
  • to protect the vital interests of an individual
  • for the prevention or detection of crime or apprehension of offenders
We do not sell personal information to third parties under any circumstances.

7. Third-Party Systems and Data Processors

TACT uses trusted third-party providers (data processors) to support service delivery and organisational operations. These currently include:
  • Goodlabs Consulting Limited / Cimpl CRM — case management and support record systems
  • Xero — financial and accounting systems
  • PeopleCloud HR — HR and employee management systems
  • Microsoft 365 and associated cloud-based systems — communication, document management and administration
Information stored within these systems may include referral information, support records, safeguarding information, employee records, financial records and other personal information relevant to TACT's operations. These providers act as data processors on behalf of TACT under written data processing agreements that meet the requirements of Article 28 UK GDPR.
International Transfers
Some of our processors may store or process information outside the United Kingdom, principally in the European Economic Area (EEA) and the United States, as part of standard cloud service delivery (for example, Microsoft 365).
Where personal information is transferred outside the UK, we ensure one or more of the following safeguards are in place, as required by Chapter V of the UK GDPR:
  • transfer to a country covered by UK adequacy regulations (e.g. EEA countries, and the US under the UK-US Data Bridge for certified organisations)
  • the UK International Data Transfer Agreement (IDTA)
  • the UK Addendum to the EU Standard Contractual Clauses
  • binding corporate rules where applicable
You can request a copy of the relevant safeguards by contacting business.services@tacteam.org.uk.

8. Data Security

TACT takes appropriate technical and organisational measures to protect personal information against accidental loss, unauthorised access, misuse, alteration or disclosure.
These measures include:
  • password-protected systems and multi-factor authentication where appropriate
  • role-based access controls
  • staff confidentiality obligations and contracts
  • secure cloud-based systems with encryption in transit and at rest
  • secure disposal procedures (shredding and certified IT asset disposal)
  • regular staff data protection and information security training
  • restricted access to sensitive records on a need-to-know basis
  • documented incident and breach reporting procedures, including reporting to the ICO within 72 hours where required by Article 33 UK GDPR
  • antivirus and cyber security protections

9. Data Retention

TACT only retains personal information for as long as necessary for legal, safeguarding, operational, contractual and regulatory purposes. The table below sets out our standard retention periods. A full retention schedule is maintained internally and is available on request.
Record typeRetention periodTrigger
Service user case files and support records7 yearsAfter case closure
Safeguarding records (adults at risk)Minimum 7 years; longer where ongoing risk identifiedAfter last action on case
Incident and accident reports7 yearsAfter date of incident
Referral records (not progressed)2 yearsAfter referral date
Employee records (HR file)6 yearsAfter end of employment
Recruitment records (unsuccessful applicants)6 monthsAfter recruitment decision
DBS check information6 months from disclosure (longer only with documented justification)After disclosure received
Payroll and pension records6 yearsAfter end of tax year
Financial / accounting records6 years (HMRC requirement)After end of financial year
Donation records6 years (Gift Aid: 6 years after claim)After donation date
CCTV footage30 daysAfter date of recording (unless retained for evidence)
Website analytics data26 monthsFrom data collection
Complaints records6 yearsAfter complaint closure

At the end of the retention period, records are securely destroyed or anonymised. Where information is held for safeguarding or legal reasons, retention may be extended, and the reason will be documented.

10. Your Rights

Under UK GDPR, individuals have the following rights in relation to their personal information:
  • the right to be informed about how we use your information (this notice)
  • the right to access personal information we hold about you (a Subject Access Request)
  • the right to request correction of inaccurate or incomplete information
  • the right to request erasure in certain circumstances ('the right to be forgotten')
  • the right to restrict processing in certain circumstances
  • the right to object to processing, including for direct marketing
  • the right to data portability where applicable
  • the right to withdraw consent where consent is the lawful basis
  • rights relating to automated decision-making and profiling
Some rights may be restricted where exemptions apply, including safeguarding, legal obligations, or the protection of others.
We will respond to rights requests without undue delay and within one month, as required by Article 12 UK GDPR. This may be extended by a further two months for complex requests, in which case we will tell you within the first month.
To make a rights request, contact: hr@tacteam.org.uk
Automated Decision-Making
TACT does not carry out any automated decision-making or profiling that produces legal effects or similarly significantly affects individuals.

11. Cookies and Website Use

TACT's website uses cookies and similar technologies to ensure the site functions correctly and, with your consent, to understand how visitors use the site.
We distinguish between:
  • Strictly necessary cookies — required for the website to function (no consent required under PECR)
  • Analytics and performance cookies — used only with your consent
  • Marketing cookies — used only with your consent (where applicable)
When you first visit our website, you will see a cookie banner allowing you to accept or reject non-essential cookies. You can change your preferences at any time through the cookie settings on the site or your browser preferences. A full cookie policy, including the name, purpose, provider and duration of each cookie, is available on our website.

12. CCTV

TACT operates CCTV at its premises for the purposes of:
  • the safety and security of staff, volunteers, service users and visitors
  • the prevention and detection of crime
  • the protection of property
  • supporting incident investigation
Lawful basis: legitimate interests (Article 6(1)(f) UK GDPR), and where relevant, substantial public interest under Schedule 1 DPA 2018.
Locations: entrances, communal areas and the external perimeter of TACT premises. Cameras are not located in private spaces such as toilets, bathrooms or one-to-one support rooms.
Signage: clearly displayed at all monitored entrances, identifying TACT as the operator and providing contact details.
Retention: footage is retained for 30 days and then automatically overwritten, unless required for an ongoing investigation, legal proceeding or safeguarding concern.
Access: restricted to authorised personnel. Footage is only disclosed to third parties (e.g. police) where there is a lawful basis to do so.
A separate CCTV Policy is available on request and the system is operated in accordance with the ICO's video surveillance guidance and the Surveillance Camera Code of Practice.

13. Marketing, Fundraising and Communications

Where TACT contacts you for fundraising, supporter updates, newsletters or event invitations, we will do so in accordance with the Privacy and Electronic Communications Regulations (PECR) and the Fundraising Code of Practice.
Electronic marketing (email, SMS) is sent only:
  • with your prior consent, or
  • to existing supporters or contacts in reliance on the 'soft opt-in' under PECR, where you have not opted out
Every electronic marketing communication includes a clear and free way to opt out. You can also opt out at any time by contacting business.services@tacteam.org.uk.
Photography, Video and Case Studies
Where TACT uses photographs, video or written case studies featuring identifiable individuals for fundraising, reporting or publicity purposes, this is done only with the individual's prior written consent. Consent can be withdrawn at any time, and we will remove the material from future communications and online channels we control as soon as reasonably possible.

14. Complaints

If you are unhappy with how your personal information has been handled, please contact TACT in the first instance:
Email: hr@tacteam.org.uk
Telephone: 01952 899204
You also have the right to complain to the UK Information Commissioner's Office (ICO):
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk
We would, however, appreciate the opportunity to address your concerns before you contact the ICO.

15. Accessibility and Alternative Formats

We can provide this Privacy Notice in alternative formats on request, including:
  • large print
  • easy-read summary
  • audio recording
  • translated into another language
Please contact hr@tacteam.org.uk to request an alternative format.

 

16. Changes to This Privacy Notice

TACT may update this Privacy Notice from time to time to reflect changes in legislation, operational practices or services. The latest version, with version number and effective date, will always be available on our website. Significant changes will be communicated directly to affected individuals where appropriate.
Version History
Version 2.0 — May 2026 — Full review and update; added DPO/ICO registration, retention schedule, CCTV, international transfers, fundraising, accessibility and lawful basis mapping.
Version 1.0 — June 2022


How We Use Your Information
A short, plain-English summary of our Privacy Notice
TACT keeps information about you so we can:
  • support you safely
  • manage risks and safeguarding concerns
  • work with other professionals involved in your support
  • meet legal requirements
We keep your information securely and only share it where necessary and lawful.
Sometimes we may need to share information without your permission if:
  • someone is at risk of harm
  • there are safeguarding concerns
  • we are legally required to do so
You have rights over your information, including the right to ask what information we hold about you.
The full Privacy Notice is available on our website tacteam.org.uk or can be provided in printed or alternative formats on request.
Questions: info@tacteam.org.uk

service3.jpg

About Us

Meet the team

Meet the Team

Sponsors

Supporters & Partners

Get Involved

Get Involved

service3.jpg

Vacancies