Privacy & Data Handling Policy

ARA Investigations Ltd

Version 1.1 – Last Updated: 17/05/2024

ARA Investigations Ltd is committed to handling personal data with integrity, transparency, and full legal compliance. As a safeguarding and complaints consultancy, we regularly process sensitive information that demands the highest levels of data protection.

We are registered with the Information Commissioner’s Office (ICO) and act as a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy explains how we collect, use, and protect personal data through our website and during the delivery of our services.

1. What Personal Data We Collect

We collect the following types of personal data when you contact us, use our services, or interact with our website:

• Name, email address, phone number

• Professional details such as job title and organisation (if relevant)

• Case-related data, including safeguarding disclosures, complaints, and health-related information

• Technical data such as IP address, browser type, time zone, and website interactions (via cookies)

This data may be provided directly by you or by a third party on your behalf.

2. Why We Process Your Data

We collect and use personal data to:

• Respond to enquiries and consultation requests

• Deliver safeguarding investigations and complaint reviews

• Comply with legal and statutory safeguarding obligations

• Manage client cases, communications, and internal records

• Improve website performance and prevent abuse

We apply data minimisation principles — collecting only what is necessary. We never sell personal data and only share it when required by law or essential for secure service delivery.

3. Legal Basis for Processing

We process personal and sensitive data under the following lawful bases:

• Legal obligation – to fulfil safeguarding and data protection duties

• Substantial public interest – under Article 9(2)(g) UK GDPR, where processing is necessary for safeguarding purposes

• Schedule 1, Part 2, Paragraph 18 of the Data Protection Act 2018 – protecting children and individuals at risk

• Contract – to deliver services under an agreement with you or your organisation

• Legitimate interest – to manage enquiries, relationships, and operations

Consent is only sought where strictly necessary and never relied upon in place of our legal duties.

4. How We Handle Sensitive Information

When handling safeguarding-related data and other special category information, we apply enhanced safeguards:

• End-to-end encryption (in transit and at rest)

• Access restricted to authorised case handlers

• Secure cloud storage compliant with UK GDPR

• Regular staff training in confidentiality and data protection

See Section 3 for the legal basis under which we process special category data.

5. Data Sharing

We may share personal data with:

• Secure cloud service providers (under data processing agreements)

• Local authority safeguarding teams, law enforcement, or other statutory bodies (where legally required)

• Legal or regulatory bodies, including courts or where required by statute

We only engage third-party service providers that meet our due diligence standards for data security, confidentiality, and UK GDPR compliance.

6. Cross-Border Data Transfers

Where personal data is stored or transferred outside the UK or EEA (e.g. via cloud platforms), we implement:

• ICO-approved Standard Contractual Clauses or

• Equivalent legal safeguards

This ensures your data remains protected in accordance with UK data protection laws.

7. Data Security and Retention

We secure all personal data using:

• Encrypted storage

• Password protection

• Limited and role-based access protocols

We retain case-related data for 12 months following closure. Where legal, contractual, or safeguarding requirements apply, data may be retained longer, in accordance with our internal retention policy — reviewed annually. A copy is available on request.

8. Personal Data Breaches

In the event of a personal data breach, we will:

• Notify the Information Commissioner’s Office (ICO) within 72 hours

• Inform affected individuals where appropriate

• Follow our internal incident response protocol to investigate, contain, and remediate the breach

9. Cookies & Website Tracking

Our website displays a cookie banner on first visit to request consent for non-essential cookies.

We use Google Analytics 4 (GA4) with IP anonymisation enabled.

• Cookies are stored for up to 90 days

• No cookies are used for advertising or profiling

• Consent is required for analytics cookies

You can manage your cookie preferences via your browser settings at any time.

10. Third-Party Links

External links on our website are provided for convenience. We are not responsible for the content or privacy practices of these sites.

We recommend reviewing their privacy policies before submitting personal data.

11. ICO Registration

• Registered with the ICO: Ref. ZB900079

• Company Name: ARA Investigations Ltd

• Company Number: 16453572

• Jurisdiction: United Kingdom

12. Your Data Rights

You have the right to:

• Access your personal data

• Request correction of inaccurate data

• Request deletion (where lawful)

• Object to or restrict certain types of processing

• File a complaint with the Information Commissioner’s Office (www.ico.org.uk)

We aim to respond to all requests within one calendar month. We may ask for information to verify your identity and will keep you informed throughout the process.

To submit a request, email us with your name, the nature of your request, and a relevant service reference (if applicable).

13. Contact Us

For questions about this policy or to exercise your data rights:

• Email: info@arainvestigations.co.uk

• Phone: 07776 102455

14. Policy Updates

We may update this policy to reflect:

• Changes in legislation

• Operational changes

• Service updates

All revisions will be posted here. If updates materially affect your rights or how we process your data, we will notify you directly where appropriate.