Privacy policy
Introduction
This privacy notice outlines how we collect, use, and protect your information. It applies to our customers (e.g. participants or service users), clients / prospective clients (i.e. those who commission our services) and supply chain / suppliers who use our websites and services.
This privacy notice applies to Maximus UK companies, their websites and platforms (the “websites”):
- maximusuk.co.uk (and all sub-domains that use this URL extension)
- remploy.co.uk
- chdauk.co.uk
- maximus.restart.uk
- connectassist.co.uk
Reference to “Maximus UK” in this policy shall mean the companies and trading names listed at Registered company details.
What Personal Data We Use
We use the following types of information about our customers, clients / prospective clients, supply chain / suppliers and website users:
-
Customers
• Name and contact details
• Addresses
• Date of birth
• Account information
• Call recordings
• Demographic details (postcode, preferences, interests)
• Education
• Health or disability information, where required
• Health and safety information
• Identification documents
• Information from third-party devices, for example, your activity such as walking or cycling (only with your explicit consent)
• Photographs or video recordings
• Questions, queries, or feedback, including information relating to compliments or complaints
• Records of meetings and decisions
• Wellbeing data, including height and weight
• Work History
• Other -
Clients / Prospective Clients
• Name and contact details
• Addresses
• Questions, queries, or feedback, including information relating to compliments or complaints
• Records of meetings and decisions -
Supply Chain / Suppliers
• Name and contact details
• Addresses
• Questions, queries, or feedback, including information relating to compliments or complaints
• Records of meetings and decisions -
Website Users
• Website user information (including user journeys and cookie tracking)
• Automatically collected data (e.g., browser, IP address) using cookies (see our Cookie consent banner/engine and Cookies page for more information)
• Questions, queries, or feedback, including information relating to compliments or complaints
Why We Collect Your Personal Data
-
Purposes
We use collected data to or for:
• Maintain accurate records
• Improve our website, products, and services
• Respond to feedback, questions, or requests
• Provide information about other services (e.g., newsletters)
• Provide services to customers, including:
- user account access,
- appointment booking,
- appointment preparation, including using postcode to map the route to our offices
- producing outcome reports,
- providing advice and support
• Record telephone calls (for training, quality assurance, dispute resolution)
• Operate CCTV systems (crime prevention, dispute resolution)
• Marketing, we use information to:
- Send periodic promotional emails
- obtain advertising information, including conversion tracking -
Lawful Basis
Maximus operates as a Controller, Joint-Controller or Processor on the programmes we deliver for and on behalf of our clients.
Maximus may rely on any of following legal bases for processing:
1. Consent
2. Legal Obligation
3. Public Task
4. Legitimate Interests
The specific legal basis or bases will be communicated to data subjects by Maximus or our client at an appropriate time as part of the delivery of the services.
Sharing Your Personal Data
We may share your personal data with third parties, such as our clients, organisations referring you to our services and supply chain / suppliers. We will do this only where required in line with one of the lawful bases above.
We will not sell your information or share it with any other organisations for their own marketing, market research or commercial purposes.
We may share the information we collect about you in the following ways or for the following purposes:
-
Anonymised Sharing:
o We may share anonymised data (so you cannot be identified). This includes insights on how you use our systems and programmes.
o Researchers may also receive anonymised data to identify themes, trends, and improve outcomes (e.g., health outcomes). -
Legal and Regulatory Obligations:
o If required or allowed by law, we may disclose your personal information to law enforcement agencies, courts, regulators, or government authorities.
o We may also share data to protect our rights or the rights of third parties -
Health and Wellbeing Concerns:
o When we identify serious concerns about your health or someone else’s wellbeing.
-
Business Transactions:
o During a sale of our business assets or any restructuring.
Data Security and Anonymisation
When sharing information with other parties, we maintain controls to ensure data security and confidentiality. Anonymised data is also protected to prevent re-identification.
How Long We Store Your Personal Data
Maximus follows Data Retention policies and standards that specify how long records, including personal data, must be retained.
We will retain your personal information only as long as it is necessary in line with the purposes for which we collected it. This includes meeting legal, contractual, accounting, tax, regulatory, or reporting requirements.
In certain circumstances, we may retain your personal data for a longer period, for example:
- If there is a complaint related to our services
- Where litigation may be likely in relation to our interactions with you
During retention, we ensure the security and confidentiality of your personal data.
Your Rights
Under data protection laws, you have a number of rights. For example, you can ask us:
- for a copy of the information we hold about you
- to update any out-of-date information or inaccuracies, or
- to delete information
If you have access to your own data via one of our applications or web portals, you may be able to retrieve, correct or delete a copy of your personal data directly from that system.
If we hold your information for the purposes of services we provide on behalf of another organisation, any request you make may be more relevant to them and we may ask you to contact them directly. If you do send your request to us and we pass it to another organisation, we will tell you.
When making your request you should provide us with enough information to allow us to confirm your identity. We may ask for more information, for example to allow us to locate that information. If someone else makes the request to us on your behalf we may ask for a specific form of authority by which you allow them to receive your information from us.
If you ask us to delete all data we hold about you, and we hold the information based on:
- your consent– we will delete it. Where we do agree to delete your data this may result in the termination of our services
- another legal basis– we will consider your request on a case-by-case basis, establish if the legal basis still applies. If it is not necessary for us to keep it, we will delete it
Withdrawal of Consent
If our processing is based on consent, and you wish to withdraw that consent, we will delete the information we hold about you.
In some cases, your consent may be in relation to a specific activity, such as obtaining information about you from a third party. Where this activity has been completed and the further processing activity relies on a different lawful basis, we will not automatically delete your personal data if you withdraw your consent.
Automated Decision-Making and Profiling
Automated Decision Making is the processing of personal data to automatically make decisions using that data that have legal or similarly significant effects.
Profiling is automated processing of personal data to evaluate certain things about an individual, including for the purposes of Automated Decision Making.
Maximus does not process personal data to generate automated decisions about individuals and / or profile individuals without:
- Assessing the risks
- Telling our customers, including what information we use to create the profiles and where we get this information from.
International Transfer of Personal Data
Maximus processes most personal data within the UK, however, some software solutions have either storage or support outside the UK.
Where contracts with our clients require approval for international data transfers, we do not transfer personal data without such approval. Further, where personal data is processed outside the UK, we:
- Implement an International Data Transfer Agreement (IDTA) or Standard Contractual Clauses plus UK Addendum to safeguard your information.
- Ensure that the country handling your personal data has been deemed ‘adequate’ by the European Commission / Information Commissioner’s Office (ICO), including self-certify schemes such as the Data Privacy Framework for transfers to the US.
- Conduct appropriate transfer risk assessments, including a review of the technical and organisational privacy and security measures.
Contacts
-
Identity and contacts of the controller or joint controllers
Maximus is registered as a Controller with the under ICO registration number: ZA103012 - https://ico.org.uk/ESDWebPages/Entry/ZA103012
Maximus may not be the Controller for the programme you are participating in. You therefore may need to contact another party. If you want to receive information about who the Controller is for one of our services you should contact us. -
Contacts of the data protection officer
Maximus’ Data Protection Officer (DPO) is Kevin Tarleton – you can contact our DPO by email at DPO@maximusuk.co.uk
How to Contact Us
Please contact us if you have any questions. You can contact our Privacy Team by:
- Email: privacy@maximusuk.co.uk
- Post: Data Protection Officer / Privacy Team, Maximus, Floor 6, Russell Square House, Russell Square, London WC1B 5EH
When contacting our Privacy Team (including our DPO), it may help if you let us know:
- Which Maximus UK Company/ies or programme/s your request relates to
- What your request relates to – e.g. right of access request
- Any other information we might require
- sufficient information to enable us to identify your records such as Name, Address and Customer Reference Number
- The time period you were involved in one of our programmes
If you have raised a concern with us and remain unhappy, you can contact the ICO – details available via their website – https://ico.org.uk/