We need to process some personal data in order to provide our training courses and consultancy. We understand that when you share personal data with us, we must look after it. This privacy notice outlines what we do, how we do it, what we use it for and why use it. 

A little bit about us

We are Leadership Through Data. We have three companies, the UK, Australia and New Zealand, and the North America region. Each company is registered in that country or region. 

For the UK we are a Limited company registered in England (Company No. 11087569). The UK registered address is Enterprise House, Rippers Court
Station Road, Sible Hedingham, Essex, CO9 3PY

For the Australia and New Zealand region, we are a Proprietary Limited Company (Pty Ltd) registered in Australia (Company ABN No. 644 020 397). The registered address for this region is Level 1, 8 Beulah Road, Norwood, South Australia, 5067. 

For North America, we are a Limited Liability Company (LLC) registered in Florida, USA (Company EIN No.88-4372071). The registered address is 4600 140th Avenue North, Suit 108, Clearwater, Florida, US 33762. 

Our business is to provide training and consultancy to our clients on areas of Information Governance, Data Protection/GDPR and Microsoft 365 Information Management. 

We are what is known as the ‘Controller’ of the personal data and other information collected and we are registered as a data controller with the UK Information Commissioners Office (ICO) (registration no. ZA303412). 

What personal data do we process and why?

We collect your personal data when you book a course, webinar, eLearning or consultancy work with us, and we may collect additional information for invoicing purposes. 

We have to identify a lawful basis for processing your personal data and these are shown below. Please contact us if you would like more detail. 

  • When you book on a course with us, this forms a contract with us. 
  • When you buy our eLearning subscription this forms a contract with us. We use your personal information you supply to add you as a user on the platform.
  • Where you provide Allergens or dietary information for any face-to-face courses, we will process this with your consent. 
  • We do collect feedback forms from our courses and some webinars. These can be submitted without your personal data such as your name and we have a legitimate interest in collecting this information to help us improve courses or address any issues. If you do provide your details, this will be based on your consent. 
  • We do ask if we are going to take photographs at courses or record any webinars. This will be with consent and you are not obliged to provide this. For example, we provide details on how you can attend a webinar without your personal details or image being collected. 
  • Information provided by you when making an enquiry, or contacting us using our online form, will be processed based on consent and legitimate interests – we cannot respond to you without knowing certain information or contact details. 
  • When you request support via a Q&A form, we will collect your information to enable us to fully answer your question and respond to you. This is based on your consent when you complete the form. 
  • We have a live chat facility on our website and any information provided is with your consent as the lawful basis. 
  • When you agree to join out marketing list for email updates, information and newsletters this will be processed with your consent. 
  • Occasionally we may run a competition. You can enter without providing any personal details, but we would love it if you did so that we can send you information about related courses. If you provide your details this will be with your consent as we will add you to our mailing list. 
  • We use QR codes, and these will include some tracking details of who has scanned the code. This is for legitimate interest purposes to enable us to ensure our information is available to those interested in our services. 
  • Your IP address and any information collected by cookies such as location or how long you have been browsing our website will be collected. We do collect some information to ensure that there is no suspicious activity on our website such as a cyber hack, and we have a legitimate interest to protect our website. For any other ‘technical data’ we have a separate cookie policy that provides more information about this. We will collect information where it is necessary for the website to function but you will have a choice for other types of cookies. 

Retention of personal data

We will retain personal data for different lengths of time, depending on why we collected it. We may need to keep certain data to comply with a legal obligation. For example, financial information will be kept for a maximum of 7 years to comply with HMRC Regulations in the UK. 

Where we have collected your personal data for our mailing list or newsletter we will retain your data until you unsubscribe or tells us you no longer wish to receive these. 

Where we have used consent as a lawful basis, you can withdraw this at any time and we will delete any data that we are not legally obliged to keep. 

You can ask us for more information about our retention of personal data by contacting us at [email protected]  

Third parties and storing your personal data

We use a booking system that processes all of the personal data or delegates that book onto our courses. The system is based in the UK and we have a contract in place with them. Access is controlled by unique logins and a one-time passcode process. 

We use a Customer Relationship Management (CRM) system. This also provides additional facilities such as live chat, an email platform, forms such as our contact us form, and allows us to undertake some analytics. This system uses regional based data centres. We have a contract and subscription with the suppliers and have undertaken all reasonable due diligence steps to ensure that any data we store in the CRM system is secure and only available to authorised staff. 

All our trainers are self-employed, but we have a contract in place with them which includes obligations for processing of any personal data and confidentiality. 

We hire venues to provide face-to-face training courses. We will share allergen information that could result in you being identified when collecting a meal, however, we do not pass on any names for this purpose. We are sometimes required to share the training delegate list to some of the venues for the purpose of health and safety reasons. Venues may also have their own methods of collecting data such as signing in books and CCTV for the prevention and detection of crime. Unfortunately, we have no control over this information, and you must contact the individual venue when exercising any of your rights.  

We use MS Teams and Zoom to deliver our virtual training and webinars. We have contracts for both and ensure that the minimum data is processed to enable us to deliver the sessions using these. 

We do sometimes record our webinars and share these on YouTube. Where we do this, we will inform all those attending and provide messages telling you how to remove your details or turn your camera off if you do not want your details or image published in this way. 

When you Purchase the eLearning platform online using a credit card you will be directed to Stripe for payment. Your information will be processed through Stripe, and they hold your card details.

We use a third party to host our eLearning platform, all information is stored under our account and they have no access to personal information.

Protecting my data

We have a number of technical, physical and organisational measures in place to protect your personal data as we know how important this is. This includes: 

  • Use of multi-factor authentication on our systems and devices. 
  • Use of encrypted devices with up-to-date software and antivirus implemented.  
  • Access to personal data on a need-to-know basis via unique logins and passwords. 
  • Confidential waste/ cross-cut shredding of limited manual records. 
  • A range of policies, procedures, and audits in place. 

Do you transfer my personal data overseas?

If you are a UK or EEA based delegate, as far as possible, we do not transfer or process data outside the UK. We endeavour to contract with companies that store data in the UK or EEA. Where we are informed that data is transferred overseas, we ensure that we have the appropriate safeguards in place to protect your personal data.  

Where you are based in Australia or New Zealand, or North America, your personal data will be transferred to the UK to be held in our CRM and booking systems. As these are cloud-based systems, any transfers such as typing in your details, are completed over the internet. We take all reasonable steps to ensure this is as secure as we can make it. Access is restricted to those who are working for or with us in these countries or regions and our UK Head Office staff only. We have Joint Controller Agreements in place between our companies. 

Do you share my personal data?

We do make delegate names and email addresses available to our trainers to enable them to confirm attendance on courses. Trainers have access to this information via our booking system. They do not retain this information. 

We share data between our companies for the purpose of storing this in the Head Office CRM and Booking Systems. We may also share with our partners to provide you with the service you have requested. We publish details of our partners on our website. 

Where you submit a Q&A form, we will need to share information with one of our trainers or associates to enable them to answer fully. We will remove personal data where this is not necessary for the question you have submitted. 

We may be legally required to share certain personal data. This includes if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.  

We do not sell or trade your personal data in any way.  

What are my rights?

Subject to some legal exceptions, you have a number of rights under the applicable data protection legislation or local legislation. 

For the UK these are:  

  • a right of access to your personal data held by us, also called a Subject Access Request. 
  • a right to rectify any personal data held by us that you believe is incorrect. 
  • a right to erase any personal data that we no longer have a legitimate purpose to process (right to be forgotten).  
  • a right to restrict the processing of your personal data subject to certain condition and obligations. 
  • a right of access to a machine-readable version of your data (data portability). There are conditions that apply to this right, but we will endeavour to give you a portable version of any of your data where possible.  
  • a right to object to us processing any of your data that we do not have a legal or contractual obligation to process.  
  • a right to prevent any wholly automated decisions or profiling involving your data – We do not use wholly automated decision-making techniques and do not undertake profiling.

Please use the drop downs below to view information about your rights if you are located in:

Although we may not be obliged to comply with certain legislation due to the nature or size of our business or number of customers, we endeavour to comply with all currently data protection legislation in place in North America. 

Generally, this will mean you have rights for your personal information or personal data: 

  • Restrictions on the sale of personal data or information including the ability to opt-out of any such sales of personal data or information. 
  • Protection against discrimination. 
  • Right to access your personal information or right to request deletion of this. 

For Canada, where we process information about commercial for-profit organisations, we will comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) as far as it applies to our company. This may include obtaining an individual’s permission to use their personal data. 

We endeavour to comply with all currently data protection legislation in place in Australia and New Zealand. 

The principal legislation in Australia is the Privacy Act 1988 which is under the responsibility of the Office of the Australian Information Commissioner (OAIC). There are a number of separate state laws which we will strive to comply with as an organisation with an “Australian link” as defined under the legislation. 

Generally this will mean you have rights for your personal data which include: 

  • a right to access your personal data. 
  • a right to rectification of errors. 
  • a right to request deletion of your personal data. 
  • rights to object or restrict the processing. 
  • a right to withdraw consent. 
  • a right to object to marketing. 
  • A right to complain. 

In New Zealand we will comply with the Privacy Act 2020 which is regulated by the Officer of the Privacy Commissioner. You have the following rights for your personal information: 

  • a right of access to your personal information. 
  • a right to correction of information. 

There is no explicit right to object to processing but we will apply the same principles as we have in the UK.

We do not charge for exercising your rights and we are obliged to respond with one month (subject to exceptions). You can exercise any of these rights by contacting us at [email protected].   

Complaints

If you have any cause for complaint about our use of your personal data we would like the opportunity to resolve this with you. You can contact our Data Protection Officer at [email protected] 

As our Head Office is in the UK, if you feel that we cannot resolve this for you or you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office via their online form at www.ico.org.uk.  

Changes to this Privacy Notice   

We may change this Privacy Notice from time to time and recommend that you revisit this when you next contact us. (Last reviewed: January 2024).