Privacy & Data Handling Policy

ARA Investigations Ltd

Version 1.1 – Last updated: 17/05/2024

ARA Investigations Ltd is committed to handling personal data with integrity, transparency, and full legal compliance. As a safeguarding and complaints consultancy, we regularly process sensitive information that demands the highest levels of data protection.

We are registered with the Information Commissioner’s Office (ICO) and act as a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy explains how we collect, use, and protect personal data through our website and during the delivery of our services.

1. What Personal Data We Collect

We collect the following types of personal data when you contact us, use our services, or interact with our website:

• Name, email address, phone number

• Professional details such as job title and organisation (if relevant)

• Case-related data, including safeguarding disclosures, complaints, and health-related information

• Technical data such as IP address, browser type, time zone, and website interactions (via cookies)

This data may be provided directly by you or by a third party on your behalf.

2. Why We Process Your Data

We collect and use personal data to:

• Respond to enquiries and consultation requests

• Deliver safeguarding investigations and complaint reviews

• Comply with legal and statutory safeguarding obligations

• Manage client cases, communications, and internal records

• Improve website performance and prevent abuse

We apply data minimisation principles — collecting only what is necessary for each specific purpose. We never sell personal data and only share it when required by law or essential for secure service delivery.

3. Legal Basis for Processing

We process personal and sensitive data under the following lawful bases:

• Legal obligation – to fulfil safeguarding and data protection duties

• Substantial public interest – under Article 9(2)(g) UK GDPR, where processing is necessary for safeguarding purposes

• Schedule 1, Part 2, Paragraph 18 of the Data Protection Act 2018 – which permits processing necessary for protecting children and individuals at risk

• Contract – when processing is necessary to deliver our services under an agreement with you or your organisation

• Legitimate interest – to manage enquiries, relationships, and day-to-day operations

Consent is only sought where strictly necessary and is never relied upon in place of our legal duties.

4. How We Handle Sensitive Information

When handling safeguarding-related data and other special category information, we apply enhanced safeguards:

• End-to-end encryption (in transit and at rest)

• Access restricted to authorised case handlers

• Secure cloud storage compliant with UK GDPR

• Regular staff training in confidentiality and data protection

See Section 3 for the legal basis under which we process special category data.

5. Data Sharing

We may share personal data with:

• Secure cloud service providers (under data processing agreements)

• Local authority safeguarding teams, law enforcement, or other statutory bodies (where legally required)

• Legal or regulatory bodies, including where required by a court order or statutory duty

We only engage third-party service providers that meet our due diligence requirements for data security, confidentiality, and UK GDPR compliance.

6. Cross-Border Data Transfers

Where personal data is stored or transferred outside the UK or EEA (e.g. via cloud platforms), we implement ICO-approved Standard Contractual Clauses or equivalent legal safeguards.

7. Data Security and Retention

We store all personal data using encrypted storage, password protection, and limited access protocols. Staff access is role-based and audited.

We retain case-related data for 12 months following closure. Where legal, contractual, or safeguarding requirements apply, data may be retained longer in line with our internal retention policy. Our internal retention policy is reviewed annually to align with legal, contractual, and safeguarding standards. A copy is available on request.

8. Personal Data Breaches

In the event of a personal data breach, we will notify the Information Commissioner’s Office within 72 hours and inform affected individuals where appropriate, in line with UK GDPR requirements.

We also maintain an internal incident response protocol to ensure rapid investigation, containment, and notification if a breach occurs.

9. Cookies & Website Tracking

Our website displays a cookie banner on first visit to request consent for non-essential cookies.

We use Google Analytics 4 (GA4) to track anonymised performance data. IP anonymisation is enabled.

• Cookies are stored for up to 90 days

• No cookies are used for advertising or profiling

• Consent is required for analytics cookies, which you may accept or reject via our banner

You can manage your cookie preferences through your browser at any time.

10. Third-Party Links

Links to external websites are provided for convenience only. We are not responsible for their content or privacy practices. We recommend reviewing the privacy policies of any external sites before submitting personal data.

11. ICO Registration

We are registered with the Information Commissioner’s Office (ICO), ref. ZB900079

Company Name: ARA Investigations Ltd

Company Number: 16453572

Jurisdiction: United Kingdom

12. Your Data Rights

You have the right to:

• Access your personal data

• Request correction of inaccurate data

• Request deletion where lawful

• Object to or restrict certain types of processing

• File a complaint with the Information Commissioner’s Office (www.ico.org.uk)

We aim to respond to all data rights requests within one calendar month, in accordance with UK GDPR. We may request additional information to verify your identity and will keep you informed throughout the process.

To submit a data rights request, please email us with your name, the nature of the request, and the relevant service reference if applicable.

13. Contact Us

For questions about this policy or to exercise your data rights:

Email: info@arainvestigations.co.uk

Phone: 07776 102455

14. Policy Updates

We may update this policy to reflect changes in legislation, operational needs, or service updates. All revisions will be posted on this page. Where material changes affect your data rights or how we process your information, we will notify you directly where appropriate.