Trilborne Logo

Privacy & Data Policy

Effective Date: 21/11/2025

Version: 1.0

 

1. Introduction

Trilborne Ltd (referred to as "we", "us", or "our") is committed to protecting the privacy and security of the data we process when providing Health & Safety (H&S) Audit services to schools (our "Clients").

This policy explains how we collect, use, and process personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

 

2. Who We Are (Data Controller)

  • Company Name: Trilborne Ltd
  • Address: 137 Silverdale Rd, Reading, Berkshire, RG6 7ND
  • ICO Registration Number: ZC041393
  • Data Protection Contact: Charles Ainslie
  • Email for Data Enquiries: charles.ainslie@trilborne.co.uk

We act as a Data Controller in respect of the personal data we collect from Client representatives, staff, and contractors to manage our business relationship, contracts, and invoicing.

We primarily act as a Data Processor on behalf of our Clients (the schools) when we process data specifically gathered during an H&S audit (e.g., photos of fire exits, records of maintenance checks which may contain staff signatures/initials). This relationship will be governed by a separate Data Processing Agreement (DPA) within our contract.

 

3. Personal Data We Collect and Process

In the context of providing our H&S Audit service, we may collect and process the following categories of personal data:

 

  • Category of Data - Client Contact Data
  • Specific Data Points - Name, Job Title, Work Email, Work Phone Number, School Address.
  • Source - Directly from the Client or its representative.
  • Purpose of Processing - Contract performance, service management, invoicing, and reporting.

 

  • Category of Data - Audit Data
  • Specific Data Points - Signatures/Initials on log sheets, names of staff responsible for H&S checks (e.g., Fire Warden, Maintenance Manager).
  • Source - Collected during the on-site audit (e.g., audit forms, maintenance logs, photographs).
  • Purpose of Processing - To complete the H&S Audit, document compliance/non-compliance, and generate the formal report.

 

  • Category of Data - Technical Data
  • Specific Data Points - IP address, browser type, device details (for users accessing our audit portal/reporting platform).
  • Source - Automatically via our digital platforms/website.
  • Purpose of Processing - System security, troubleshooting, and service improvement.

 

We endeavour to apply the principle of Data Minimisation, ensuring we only collect personal data strictly necessary for the purposes of completing the H&S audit and managing the Client relationship. We generally avoid collecting Special Category Data.

 

4. Lawful Basis for Processing

We rely on the following lawful bases under UK GDPR for processing your personal data:

 

  • Purpose of Processing - Contract Management
  • Lawful Basis - Contractual Necessity
  • Justification - Processing is necessary to fulfill our obligations under the H&S Audit service contract with the school (Client).

 

  • Purpose of Processing - Audit Documentation
  • Lawful Basis - Legitimate Interests
  • Justification -Processing the initials/signatures of responsible staff is necessary for the legitimate interest of documenting H&S compliance and accountability within the Client organisation.

 

  • Purpose of Processing - Financial/Tax Records
  • Lawful Basis - Legal Obligation
  • Justification -Processing necessary for compliance with UK legal requirements (e.g., HMRC/tax laws).

 

  • Purpose of Processing - Direct Marketing (B2B)
  • Lawful Basis - Legitimate Interests
  • Justification - Where permitted, we may use contact details to inform Client representatives of similar services we offer (with a clear opt-out).

 

5. Data Sharing and Disclosure

We will not sell or rent your personal data to any third party. We may share your data only with the following third parties for the purposes outlined:

  • Sub-processors/Data Processors: Third-party IT service providers, secure cloud storage providers, and our audit management software provider. These parties are subject to strict contractual Data Processing Agreements (DPAs) requiring them to comply with UK GDPR.
  • Professional Advisers: Accountants, auditors, and legal professionals, where necessary to receive advice or protect our legal interests.
  • Legal/Regulatory Authorities: If legally required to do so by a court order or regulatory body (e.g., HSE, ICO).

Any international transfers of data (outside the UK/EEA) will only occur if a legally approved mechanism, such as the UK's International Data Transfer Agreement or standard contractual clauses, is in place to ensure an adequate level of data protection.

 

6. Data Security

We have implemented appropriate technical and organisational measures to prevent personal data from being accidentally lost, used, or accessed in an unauthorised way. This includes:

  • Encryption for data in transit and at rest.
  • Access controls that restrict data access only to employees who require it to perform their job.
  • Regular security reviews of our systems and procedures.

 

7. Data Retention

We will only retain personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

  • Client Contract Data: Retained for a minimum of six (6) years after the end of the contract to meet legal and tax obligations.
  • Audit Reports/Data: Retained in line with the terms of our contract with the school (Client) and their specific H&S record-keeping requirements.

At the end of the retention period, we will securely destroy or anonymise your personal data.

 

 

8. Your Legal Rights (Data Subject Rights)

Under UK GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact our Data Protection Contact (see Section 2).

  • Right to be Informed: To be informed about how your data is processed (which this policy addresses).
  • Right of Access: To request a copy of the personal data we hold about you (a Subject Access Request - SAR).
  • Right to Rectification: To request correction of inaccurate or incomplete data.
  • Right to Erasure (Right to be Forgotten): To request the deletion of your personal data where there is no compelling reason for us to continue processing it.
  • Right to Restrict Processing: To ask us to suspend the processing of your personal data in certain scenarios.
  • Right to Data Portability: To request that we transfer your personal data to you or another party in a structured, commonly used, machine-readable format.
  • Right to Object: To object to our processing of your personal data where we are relying on legitimate interests.

 

9. How to Complain

If you have any concerns about our use of your personal data, please contact our Data Protection Contact in the first instance.

You also have the right to make a complaint at any time to the UK supervisory authority for data protection, the Information Commissioner's Office (ICO):

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.