Strategic Commissioning Privacy Notice
Last updated: 1 June 2026
Strategic Commissioning Privacy Notice
Who we are
Birmingham Children’s Trust ("the Trust") uses information about individuals so that it can commission services to meet the needs of children, young people and families in Birmingham. We are the data controller for the personal information described in this notice and we are responsible for how it is processed.
We comply with:
- The UK General Data Protection Regulations (GDPR)
- The Data Protection Act 2018 (Reg. ZA317906).
Purpose of this notice
This notice explains:
- What information we collect
- How we use it
- Who we share it with
- Your rights
You should read this before you submit your information to us.
What information we collect
We may collect information from providers, individuals, and partner organisations to support commissioning and service delivery. More specifically we process the following information:
Service Providers:
We may collect:
- Contact details (name, role, address, email, phone)
- Business and contractual information
- Financial information (bank details, VAT number, Unique Tax Reference (UTR number)
- Insurance and health & safety records
- Regulatory information (e.g. Ofsted, CQC ratings)
If you do not provide this information, we may be unable to:
- Process your tender
- Award or manage contracts
- Make payments
Information about individuals (where relevant)
We may process:
- Personal details (name, address, date of birth)
- Contact information
- Family details
- Education information (school, exclusions)
- SEND and Education Health Care Plan (EHCP) information
- Care status
- Assigned professionals
Special category data:
We may also process:
- Ethnicity
- Gender
- Health, care or support needs (where relevant)
Information from other sources
We may obtain information from:
- Birmingham City Council
- Schools and academies
- Other Trust services
- Regulatory bodies (Ofsted, CQC)
- The Disclosure and Barring Service (DBS)
- Partner organisations involved in service delivery
How we collect information
We collect information through:
- Secure internal systems and databases
- Tendering and commissioning processes
- Online forms and service applications
How we use your information
We use personal information to:
- Plan and develop services and support strategic planning
- Commission and procure services
- Monitor contracts and quality
- Support service improvement
- Manage participation and engagement activities
- Meet safeguarding responsibilities
- Prepare for regulatory inspections
Where possible, we use anonymised data for research and service planning
Lawful basis
We process personal data under the following UK GDPR lawful bases:
- Article 6(1)(b) – Contract (e.g. commissioning and managing services)
- Article 6(1)(c) – Legal obligation (e.g. compliance with legislation)
- Article 6(1)(e) – Public task (e.g. safeguarding, statutory duties)
- Article 6(1)(a) – Consent (e.g. specific complaints where required)
We process special category data under:
- Article 9(2)(g) – Substantial public interest (supported by legislation including the Children Act 2004, Children and Families Act 2014, and Care Act 2014)
- Article 9(2)(h) – Health or social care, where processing is necessary for the provision, management and oversight of health or social care services.
Legislation supporting our processing
Our processing of personal and special category data is supported by relevant legislation, including:
- Children Act 1989 and Children Act 2004
- Children and Families Act 2014
- Care Planning, Placement and Case Review Regulations 2010
Sharing your information
We only share information where necessary and lawful, and we share the minimum required.
We may share with:
- Birmingham City Council (commissioning role)
- Regulatory bodies (Ofsted, CQC)
- Law enforcement (Police)
- Other Local Authorities
- Commissioned providers and delivery partners
- Internal Trust teams
- Advocacy services and project partners
We share information to:
- Deliver services
- Meet legal and safeguarding duties
- Support inspections and oversight
- Prevent fraud or crime
We never sell your personal information.
How we store your information
We retain information in line with legal and operational requirements. The key retention periods are:
- Contracts (standard): contract term + 6 years
- Contracts under seal: contract term + 12 years
Retention periods begin from the end of the contract. After this, data is securely deleted or archived.
How we keep your information safe
We use appropriate technical and organisational measures, including:
- Secure electronic case management systems
- Role-based access controls
- Encryption and secure data transfer
- Staff training and confidentiality requirements
- Data breach reporting procedures
International transfers
Personal data is not routinely transferred outside the UK. Where this is necessary, appropriate safeguards will be in place in line with UK GDPR.
Automated decision-making
We do not use personal data for automated decision-making or profiling that produces legal or significant effects.
Your rights
Under UK GDPR law, you have the right to:
- Be informed about how your data is used
- Access your personal data (Subject Access Request)
- Request correction of inaccurate data
- Request deletion (where applicable)
- Restrict or object to processing (in certain circumstances)
- Withdraw consent (where applicable)
- Request data portability (where applicable)
- Complain to the ICO
Some rights may be limited where we must comply with legal obligations.
Requesting your information
To request access to your data (Subject Access Request):
Disclosure Team
One Avenue Road
Aston
Birmingham
B6 4DU
Email: DisclosureTeam@birminghamchildrenstrust.co.uk
Complaints
If you have concerns, contact us first:
CustomerRelations@birminghamchildrenstrust.co.uk
You can also contact the Information Commissioner’s Office (ICO): https://ico.org.uk/concerns
Tel: 0303 123 1113
For more information contact
Data Protection Officer