Skip to main content

{{ root_page.title }}

Privacy notice for Information Governance


This privacy notice explains how Achieving for Children’s Information Governance Team collects and uses personal data, and who it may share information with. We are required to give this information under data protection law. 

Who we are

Achieving for Children is a community interest company created in 2014 by the Royal Borough of Kingston upon Thames and London Borough of Richmond to provide children’s services. In August 2017 the Royal Borough of Windsor and Maidenhead became co-owner of Achieving for Children. 

Achieving for Children delivers children’s services and the local authority statutory responsibilities relating to children aged up to 25 years across the boroughs of Kingston, Richmond and Windsor and Maidenhead. Achieving for Children is registered as a controller with the Information Commissioner’s Office (ICO) (registration number ZA045069) and is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations. 

Personal data we collect 

We collect the minimum information we need to deliver our service and will include the following personal data:

  • name
  • address
  • contact details
  • date of birth
  • proof of identity (we ask for this in relation to a data subject request)

How we collect your personal information

We collect personal information about you in writing when you email us or  submit a request via the customer portal. We may also collect information when you speak to us on the phone or when your requests are forwarded to us by other Achieving for Children departments. 

How we use your personal data 

We use your personal data the following purposes:

  • Processing of Freedom of Information requests
  • Responding to Data Subject Requests
  • Responding to requests for information covered by the Environmental Information Regulations
  • Dealing with all Data Protection matters including any complaints, alleged data security incidents and /or personal data breaches

Lawful basis for processing your personal data

The lawful basis we rely upon for collecting and processing personal data are for compliance with a legal obligation and for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

When we process special category data processing is necessary for reasons of substantial public interest and this is supported by Section 10 of the DPA 2018, particularly Schedule 1, Part 2 -for statutory and government purposes) 

These legal bases are underpinned by the legislation below which place a legal obligation for Achieving for Children to comply with information requests: 

  • Freedom of Information Act 2000
  • Environmental Information Regulations 2004
  • Data Protection Act 2018
  • UK General Data Processing Regulation (UK GDPR)

Who we share your personal information with

We will only share information where it is appropriate and legal to do so. Where this is necessary, we are required to comply with all aspects of the Data Protection Act 2018. 

Depending on the individual circumstances of each situation, we may have to share this information with other teams within Achieving for Children to fulfil other duties and powers to support our work. 

We may at times share information with our Commissioning Councils (Kingston Council, Richmond Council  and Windsor & Maidenhead Council). 

How long will we keep your information

We will retain your personal information for 3 years. At its expiry date the information will be reviewed, and only retained where there is an ongoing requirement to retain for a statutory or legal purpose. 

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

Achieving for Children’s email service has been configured to Government Digital Service and we encrypt and authenticate email in transit using Transport Layer Security (TLS) and Domain-based Message Authentication, Reporting and Conformance (DMARC). We will ensure that when we send emails containing your personal information they are sent using appropriate security measures to encrypt the data in transit. This may involve the use of a third party encryption tool where appropriate.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Your rights and access to information 

Find out about your rights under data protection legislation by reading Individual Rights Requests on this website.

If you have any questions or concerns about the way we process personal data, or would like to discuss anything in this privacy notice, please contact our Data Protection Officer: [email protected]

If you want to make a complaint about how we handle your personal data, we ask that you give our Data Protection Officer the opportunity to respond in the first instance but you are not obliged to do this. You can make a complaint directly to the Information Commissioner’s Office at