Privacy & data protection

How we handle your data

Vayacare processes personal data about some of the most vulnerable children in the country. We take that responsibility seriously. This policy explains what we collect, why, how we protect it, and your rights.

ICO registration

Z123456X

DPO

dpo@vayacare.co.uk

Last updated

1 Jan 2026

What data we process and why

Children (EHCP transport)

Data collected

Full name and date of birth

EHCP reference number

School and transport route

Communication passport (sensory, medical, behavioural)

Journey history and attendance

Welfare observations from journey reports

Lawful basis

Legal obligation (EHCP statutory duty) + Vital interests

Retention

Duration of EHCP transport arrangement + 7 years

Shared with

Named driver (minimum needed for safe transport)

School (journey timing only)

Social worker (where applicable)

LA transport team

Parents and carers

Data collected

Name and contact details

Relationship to child

Communication preferences

Feedback and concerns history

Lawful basis

Legitimate interests + Contract

Retention

Duration of transport arrangement + 2 years

Shared with

Ops team (concern response)

Driver (emergency contact only)

Drivers and staff

Data collected

Employment records

DBS certificate and reference

Certification records (CPC, MIDAS, PATS)

GPS location data during working hours

CCTV footage (in-vehicle, 28-day retention)

Lawful basis

Employment contract + Legal obligation

Retention

Duration of employment + 6 years

Shared with

DBS Update Service (daily auto-check)

LA transport teams (cert status only)

Local authority portal users

Data collected

Name, job title, LA organisation

Actions taken (exports, authorisations, changes)

Lawful basis

Contract (LA service agreement)

Retention

Duration of LA contract + 3 years

Shared with

Vayacare ops team (support and audit)

ICO (on FOI or complaint request)

Your rights under UK GDPR

Right of access

Request a copy of your personal data held by Vayacare. We respond within 30 days.

Right to rectification

If your data is inaccurate or incomplete, request it to be corrected.

Right to erasure

In some circumstances, request deletion of your data. Note: statutory obligations may prevent erasure during a retention period.

Right to restriction

Request we limit how we process your data while a dispute is resolved.

Right to portability

Receive your data in a structured, machine-readable format (applies to data processed by automated means).

Right to object

Object to processing based on legitimate interests. We will stop unless we have compelling grounds.

To exercise any right, contact our Data Protection Officer

Email: dpo@vayacare.co.uk · Post: Vayacare Ltd, 14 Station Rd, Bromley BR1 2SJ

We will respond within 30 days. If unsatisfied, you may complain to the ICO at ico.org.uk or call 0303 123 1113.

How we protect your data

Encryption at rest

AES-256 via AWS KMS. All CCTV footage and personal data encrypted at the storage layer.

Encryption in transit

TLS 1.3 for all web and API traffic. Certificate pinning on mobile apps.

Access controls

Role-based access. Drivers see only their route and passengers. LA portal users see only their LA.

Audit logging

Every access, export, and change is logged. 90-day rolling retention. ICO-ready on request.

Penetration testing

Annual CREST-accredited pen test. Last conducted January 2026. No critical findings.

Incident response

Breach reporting to ICO within 72 hours where legally required. Data subjects notified without undue delay.