Information about your rights under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018, and how to exercise them.
Last updated: 11 June 2026
The UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 give you rights regarding the personal data that organisations hold about you. These rights are designed to give you more control over your information and to ensure that organisations handle your data responsibly and transparently.
ACS is committed to protecting your privacy and ensuring you can exercise your data protection rights easily and without charge.
You have the right to be informed about how we use your personal data, including the purposes and legal basis for processing.
You can request a copy of all personal data we hold about you, including details of how it's used and who it's shared with.
You can request deletion of your personal data, subject to legal obligations to retain certain records (e.g., safeguarding, employment).
You can request your personal data in a commonly used format for transfer to another organisation.
You can request correction of inaccurate or incomplete personal data we hold about you.
You can object to certain types of processing, particularly direct marketing or processing based on legitimate interests.
You can request that we limit how we use your data while a dispute is resolved.
You have rights regarding automated decision-making and profiling in certain circumstances.
To exercise any of your data protection rights, please contact us using one of the following methods. We will respond to your request within one month (extendable by a further two months for complex requests).
The types of personal data processed by ACS depends on your role and relationship with the organisation using the platform.
Under GDPR, we must have a lawful basis for processing personal data. ACS processes data based on the following lawful bases:
Processing is necessary for compliance with legal obligations in social care, including Ofsted regulations, safeguarding duties, and employment law.
Processing is necessary for the legitimate interests of the organisation in providing safe, effective care, maintaining records, and ensuring the wellbeing of children and staff.
Processing is necessary to protect someone's vital interests in emergency situations, such as safeguarding concerns or medical emergencies.
Processing is necessary for the performance of an employment contract with staff members.
We do not keep personal data for longer than necessary. Different types of data have different retention periods based on legal requirements and business needs.
For detailed information about our data retention policies, please see ourData Retention Policy.
Important: Some records must be retained indefinitely for safeguarding purposes, even after you leave the organisation or a child leaves care. This includes serious incident reports and safeguarding concerns.
We implement comprehensive technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.
For detailed information about our security measures, please see ourSecurity & Data Protection page.
You have the right to receive a copy of all personal data we hold about you. This includes:
Response Time: Within one month (extendable by two months for complex requests)
You can request deletion of your personal data. However, we may not be able to delete all data if we have a legal obligation to retain it.
Exceptions: We cannot delete data required for safeguarding, employment law, regulatory compliance, or legal proceedings. In these cases, we will restrict processing instead of deleting.
You can request your data in a structured, commonly used format (such as CSV or JSON) to transfer to another organisation.
Availability: Applies to data you have provided to us where processing is based on consent or contract.
In certain circumstances, you can ask us to limit how we use your data while a dispute is being resolved (for example, if you contest the accuracy of the data).
You can object to processing based on legitimate interests. We must then stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
Absolute Right: You always have the right to object to direct marketing.
If you are unhappy with how we have handled your personal data or your data rights request, you have the right to complain.
First, contact your organisation's data protection officer or manager to raise your concern. We will acknowledge your complaint within 5 working days.
If you are not satisfied with our response, you can complain to the Information Commissioner's Office (ICO), the UK's data protection regulator.
ICO Website: ico.org.uk
ICO Helpline: 0303 123 1113
You have the right to seek judicial remedy against the organisation or the ICO through the courts if you believe your rights have been infringed.
To exercise your data rights, ask questions about how we use your data, or raise a concern, please contact your organisation's designated data protection representative or manager through the normal communication channels within the ACS platform, or contact the organisation directly using the details provided during your onboarding.