Skip to main content

{{ root_page.title }}

Privacy notice for the Single Point of Access (Windsor and Maidenhead)


This privacy notice explains what types of personal data we may hold about you, how we collect it, how we use and who we may share information with. We are required to give you this information under data protection law.

Who we are

Achieving for Children is a community interest company created in 2014 by the Royal Borough of Kingston upon Thames and London Borough of Richmond to provide children’s services. In August 2017 the Royal Borough of Windsor and Maidenhead became co-owner of Achieving for Children.

Achieving for Children delivers children’s services and the local authority statutory responsibilities relating to children aged up to 25 years across the boroughs of Kingston, Richmond and Windsor and Maidenhead. Achieving for Children is registered as a controller with the Information Commissioner’s Office (ICO) (registration number ZA045069) and is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

The Single Point of Access and Multi Agency Safeguarding Hub (SPA/MASH) acts as a single ‘front door’ for children in need of additional support and/or protection ensuring timely and informed decisions about risk are based on accurate and up to date information. Co-located within the SPA/MASH are representatives from children’s social care, the police and NHS. For safeguarding and risk assessment purposes, the SPA/MASH may request information from relevant agencies including health, education, police, probation, the youth offending team, adult services, housing, the UK Border Agency, and any relevant agency known to be working with the family will provide information regarding a child/parent/parent.

Why we need your information and how we use it

As the front door to Children’s Services, the SPA receives contacts and referrals through a variety of methods including telephone, email, letter and via the online referral form. All contacts and referrals are screened for safeguarding concerns and recorded on the Integrated Children’s System (ICS), called PARIS.

Using the information provided, a record of the child/parent/carer is created. A brief risk assessment, analysis and recommendations about what happens next is completed by the SPA. The SPA may recommend that no further action is taken or may signpost you to community support.

If further social work support is required, the risk assessment, analysis and recommendations are shared with the relevant social work team.

Personal data we collect

  • Name
  • Address
  • Date of birth
  • Nationality
  • Family/Relationships information
  • Referral/Assessment information
  • Criminal/Prosecution information
  • Equalities information
  • Health information
  • Housing information
  • Education information
  • NHS number
  • Other agencies involved with the child, young person and their family

Lawful basis for processing your personal data

The SPA relies on the following lawful basis for processing your personal information:

  • processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) of the UK GDPR)
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person (Article 6(1)(d)
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. (Article 6(1)(e)

The SPA relies on the following lawful basis for processing special categories of personal data:

  • processing is necessary for reasons of substantial public interest. (Article 9(2)(g) UK GDPR) The condition within Schedule 1, Part 2 is met for:
    (i) safeguarding children and individuals at risk Para. 18(1)(2)(3)
    (ii) preventing and detecting unlawful acts Para 10(1)(2)(3)
    (iii) Statutory and government purposes Para 6(1)(2)

Processing of criminal offence data is in compliance with Article 10 of the GDPR and for the purpose of preventing or detecting unlawful acts (DPA 2018, Schedule 1, Part 2, Para. 10)

These articles under the UK GDPR and the DPA 2018 are supported by the following specific legislation:

  • Children’s Act 1989
  • Children’s Act 2004
  • Working Together to Safeguard Children 2018
  • London Child Protection Procedures
  • Crime and Disorder Act 1998

Who we share your personal information with

Your personal information may be shared with Children’s Social Care and other departments within Achieving for Children, as well as external partner agencies such as NHS, other health agencies, Police and schools, in accordance with our duty of care towards children.

Sharing information about individuals with partner organisations, such as the police, NHS and schools, is sometimes necessary in order to protect individuals if there are concerns they may be at risk of significant harm and to keep those individuals and wider public safe.

Sections 10 and 11 of the Children Act 2004 place obligations upon the police, local authorities, NHS bodies and others to cooperate with other relevant partners in promoting the welfare of children and ensuring that their functions are carried out paying attention to the need to safeguard and promote the welfare of children.

How long will we keep your information

We only keep your personal data for as long as is required by law and in accordance with our retention schedule.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

Achieving for Children’s email service has been configured to Government Digital Service and we encrypt and authenticate email in transit using Transport Layer Security (TLS) and Domain-based Message Authentication, Reporting and Conformance (DMARC). We will ensure that when we send emails containing your personal information they are sent using appropriate security measures to encrypt the data in transit. This may involve the use of a third party encryption tool where appropriate.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Your rights and access to information

Under data protection legislation you have the right to request access to the information that we hold about you. To request a copy of your data, please read the Individual Rights Requests page and then submit your request using your preferred method of contact.

You also have the right to:

  • object to processing of personal data that is likely to cause, or is causing, damage or distress
  • have inaccurate personal data rectified, blocked, erased or destroyed
  • prevent processing for the purpose of direct marketing object to decisions being taken by automated means
  • in certain circumstances have inaccurate personal data rectified, blocked, erased or destroyed; and
  • a right to seek redress, either through the ICO, or through the courts

If you have any questions or concerns about the way we process personal data, or would like to discuss anything in this privacy notice, please contact our Data Protection Officer: [email protected]

If you want to make a complaint about how we handle your personal data, we ask that you give our Data Protection Officer the opportunity to respond in the first instance but you are not obliged to do this. You can make a complaint directly to the Information Commissioner’s Office at


Version 2.0/09/2021
Issue date: 09/2021