About Jigsaw Adoption


Jigsaw Adoption Limited is a company limited by guarantee registered in England and Wales with the number 9172398. Our registered office address is:

Third floor, the Griffin
12 the Broadway
Buckinghamshire HP7 0HP

Jigsaw Adoption is registered with Ofsted to provide domestic adoption services as well as adoption support services. Our Ofsted registration number is SC489014.

Our statement of purpose is available here:

Statement of purpose


This document sets out the terms on which a recipient of personal data (the “Data Recipient”) from Jigsaw Adoption Ltd, a company registered in England under number 9172398, whose registered office is at 12 the Broadway, Amersham, Buckinghamshire, HP7 0HP (the “Company”) shall process such personal data.


In this document, “Data Protection Legislation” means 1) unless and until EU Regulation 2016/679 General Data Protection Regulation (“GDPR”) is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations, and secondary legislation (as amended from time to time), in the UK and subsequently 2) any legislation which succeeds the GDPR.


Data Processing

1.   In this Document, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in Article 4, GDPR.

2.   The Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Document shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations.

3.   For the purposes of the Data Protection Legislation and for this Document, the Company is the “Data Controller” and the Data Recipient is the “Data Processor”.

4.   The type(s) of personal data, the scope, nature and purpose of the processing, are set out in the Data Controllers Data Protection Policy which is available on the Data Controller’s website.

5.   The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreement.

6.   The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this Agreement:

6.1          Process the personal data only on the instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law.

6.2          Ensure that it has in place suitable technical and organisational measures to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures.

6.3          Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential; and

6.4          Not transfer any personal data outside of the European Economic Area without the prior consent of the Data Controller and only if the following conditions are satisfied:

6.4.1        The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data;

6.4.2        Affected data subjects have enforceable rights and effective legal remedies;

6.4.3        The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and

6.4.4        The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data.

6.5          Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office);

6.6          Notify the Data Controller without undue delay of a personal data breach;

6.7          On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by law; and

6.8          Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Document and to allow for audits by the Data Controller and/or any party designated by the Data Controller.

7.   The Data Processor shall not sub-contract any of its obligations with respect to the processing of personal data under this Document.




In this section, you will find Jigsaw's polices for dealing with personal data collected from our service users and other sources as well as terms on which third parties may process data received from Jigsaw.

Guests and adopters

If you are visiting our site to learn about adoption and/or if you are contacting us to discuss potential adopting and/or if you are going through the adoption process with us and/or you are providing personal data to us in any other capacity, Jigsaw's data protection and data retention policies are relevant to you. Both policies are an integral part of our data protection framework and we recommend that you familiarise yourself with both.

Data protection policy

Data retention policy

Local authorities and sub-contractors

If you are a local authority discussing a potential placement of a child/children with our adopters or if you are doing work for us on a freelance basis or if you are receiving personal data from Jigsaw in any other capacity, you are a "data processor" as defined in Article 4of the EU regulation 2016/679 General Data Protection and the terms set out below with apply to you.

Terms and conditions for data processing

Data access

If you are a data subject (i.e. if you have given us personal data), you have the right to request a copy of such personal data. Please use the form below to make a request.

Subject access request form

Additional information

If you have any questions or would like to discuss, please don't hesitate to contact us on This email address is being protected from spambots. You need JavaScript enabled to view it.

1.            Introduction

This Policy sets out the obligations of Jigsaw Adoption Ltd, a company registered in England under number 9172398, whose registered office is at 12 the Broadway, Amersham, Buckinghamshire, HP7 0HP (“the Company”) regarding retention of personal data collected, held, and processed by the Company in accordance with EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The GDPR also addresses “special category” personal data (also known as “sensitive” personal data). Such data includes, but is not necessarily limited to, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation.

Under the GDPR, personal data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. In certain cases, personal data may be stored for longer periods where that data is to be processed for archiving purposes that are in the public interest, for scientific or historical research, or for statistical purposes (subject to the implementation of the appropriate technical and organisational measures required by the GDPR to protect that data).

In addition, the GDPR includes the right to erasure or “the right to be forgotten”. Data subjects have the right to have their personal data erased (and to prevent the processing of that personal data) in the following circumstances:

a)            Where the personal data is no longer required for the purpose for which it was originally collected or processed (see above);

b)            When the data subject withdraws their consent;

c)            When the data subject objects to the processing of their personal data and the Company has no overriding legitimate interest;

d)            When the personal data is processed unlawfully (i.e. in breach of the GDPR);

e)            When the personal data has to be erased to comply with a legal obligation; or

f)             Where the personal data is processed for the provision of information society services to a child.

This Policy sets out the type(s) of personal data held by the Company the purpose of operating as a voluntary adoption agency, the period(s) for which that personal data is to be retained, the criteria for establishing and reviewing such period(s), and when and how it is to be deleted or otherwise disposed of.

For further information on other aspects of data protection and compliance with the GDPR, please refer to the Company’s Data Protection Policy.


2.    Aims and Objectives

2.1          The primary aim of this Policy is to set out limits for the retention of personal data and to ensure that those limits, as well as further data subject rights to erasure, are complied with. By extension, this Policy aims to ensure that the Company complies fully with its obligations and the rights of data subjects under the GDPR.

2.2          In addition to safeguarding the rights of data subjects under the GDPR, by ensuring that excessive amounts of data are not retained by the Company, this Policy also aims to improve the speed and efficiency of managing data.


3.    Scope

3.1          This Policy applies to all personal data held by the Company for the purpose of operating as a voluntary adoption agency which includes, without limitation, recruiting, training and assessing potential adopters or children in the UK care system.

3.2          Personal data, as held by the Company is stored in the following ways and in the following locations:

a)            Third-party servers, operated by Amazon Web Services and located in Ireland;

b)            Third-party servers operated by pCloud AG located in Switzerland;

c)            Computers permanently located in the Company’s premises in Amersham;

d)            Laptop computers provided by the Company to its employees; and

e)            Computers and owned by sub-contractors;


4.    Data Subject Rights and Data Integrity

All personal data held by the Company is held in accordance with the requirements of the GDPR and data subjects’ rights thereunder, as set out in the Company’s Data Protection Policy.

4.1          Data subjects are kept fully informed of their rights, of what personal data the Company holds about them, how that personal data is used as set out in Parts 12 and 13 of the Company’s Data Protection Policy, and how long the Company will hold that personal data (or, if no fixed retention period can be determined, the criteria by which the retention of the data will be determined).

4.2          Data subjects are given control over their personal data held by the Company including the right to have incorrect data rectified, the right to request that their personal data be deleted or otherwise disposed of.


5.    Technical and Organisational Data Security Measures

5.1          Technical and organisation measures within the Company to protect the security of personal data are set out in the Company’s data protection policy.


6.    Data Disposal

Upon the expiry of the data retention periods set out below in Part 7 of this Policy, or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed, or otherwise disposed of as follows:

6.1          Personal data stored electronically shall be deleted from the Company’s cloud storage;

6.2          Personal data stored on the Company’s website shall be deleted; and

6.3          Personal data stored in hardcopy form shall be shredded.


7.    Data Retention

7.1          As stated above, and as required by law, the Company shall not retain any personal data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed.

7.2          Different types of personal data, used for different purposes, will necessarily be retained for different periods (and its retention periodically reviewed), as set out below.

7.3          When establishing and/or reviewing retention periods, the following shall be taken into account:

a)            The objectives and requirements of the Company;

b)            The type of personal data in question;

c)            The purpose(s) for which the data in question is collected, held, and processed;

d)            The Company’s legal basis for collecting, holding, and processing that data;

e)            The category or categories of data subject to whom the data relates;

f)             The need to retain data in order to be able to conduct or assist in child safeguarding investigations.

7.4          Notwithstanding the following defined retention periods, certain personal data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within the Company to do so (whether in response to a request by a data subject or otherwise) except where such deletion would be in breach of applicable regulation or, in the reasonable opinion of the Company reduce the Company’s ability to lead, participate in or assist in investigations related to safeguarding children.

7.5          The period for which personal data is retained depends in what capacity the data subject interacts with the company and, for potential adopters, how far they progress in the adoption process.





Data subject category

Data collected

Purpose of Data

Retention Period


Data subjects browsing the website

No data collected




Data subjects sending a message to the Company through the website or email

IP address

Type of browser

Operating system used



Telephone number

Any data given in body of message

To facilitate discussion about data subject potentially entering adoption process

5 years

An adoption agency is required to reply to other adoption agencies if the query whether adopters have registered or enquired with the first agency

Data subjects registering on website and filling our preliminary interest form

All data set out above

Age range



Type of work

Type of relationship

Preferences in respect of adoption

Whether the household already has children

Size of home

Any other personal data provided by data subject in emails or otherwise

Providing login and access to the website; and

To progress discussion about potentially entering the adoption process and to be able to make a preliminary assessment of probability of success

5 years

An adoption agency is required to reply to other adoption agencies if the query whether adopters have registered or enquired with the first agency

Data subjects entering and completing the adoption process either through successfully adopting children in the UK

All data set out above

Data in respect of data subjects that the Company is required to collect for the process of going through the adoption process as set out in the Adoption Agencies (Miscellaneous Amendments) Regulations 2013

Such data includes, but is not limited to:

Date of birth

Ethnicity and cultural identity


Marital status

Address history

A family tree

Details of any employment

Medical information and history

Details on financial situation

Details of any previous legal processes involving a family court

Languages spoken

A chronology of the data subject’s life

Ni number

A DBS check

To assess the data subject(s)’ suitability to adopt children from the UK care system;

To share with local authorities to enable them to decide whether to place children for adoption with the data subject; and

To facilitate adoption support once the children move in

100 year

An adoption agency is required to keep adoption records for 100 years

Data subjects who complete the adoption process through having their approval to adopt terminated by the Company and  data subjects who voluntarily withdraw from the process

As above

To assess the data subject(s)’ suitability to adopt children in the UK

10 years

This is the period deemed appropriate for safeguarding purposes



8.            Sharing data with third parties

In order to comply with applicable regulation, assess data subjects’ suitability to adopt children, and, where data subjects have been approved to adopt, to match them with children waiting to be adopters, the Company may share personal data with third parties. Such personal data may include sensitive personal data.

Sharing of data with third parties will only take place where it is required by applicable regulation and where the Company reasonably considers it necessary in the interest of the data subject or in the interest of looked after children.

Third parties include, without limitation, local authorities in the UK as well as the NSPCC and Capita plc and other organisations which the Company is required to pr deem it appropriate to contact as part of the adoption process.

The Company will not share personal data with third parties for marketing purposes.

9.            Cookies

The Company’s website may place and access certain first-party Cookies on your computer or device. First-party Cookies are those placed directly by the Company and are used only by the Company. The Company uses Cookies to facilitate and improve your experience of its website and to provide and improve its services.

All Cookies used by and on the Company’s website are used in accordance with current Cookie Law.

Before Cookies are placed on a computer or device, the user will be shown a prompt requesting your consent to set those Cookies. By giving consent to the placing of Cookies data subjects are enabling the Company to provide the best possible experience and service.

Data Subjects can choose to enable or disable Cookies in their internet browser. Most internet browsers also enable users to choose whether they wish to disable all Cookies or only third-party Cookies. By default, most internet browsers accept Cookies, but this can be changed. For further details, data subject should consult the help menu in their internet browser or the documentation that came with the device.

Data subjects can choose to delete Cookies on their computer or device at any time, however this may delete information that enables data subjects to access the Company’s website more quickly and efficiently including, but not limited to, login and personalisation settings.

It is recommended that data subjects keep their internet browser and operating system up-to-date and that they consult the help and guidance provided by the developer of the internet browser and manufacturer of the computer or device if they are unsure about adjusting the privacy settings.

10.         Implementation of Policy

This Policy shall be deemed effective as of the date written above. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.


This Policy has been approved and authorised by:


Erik Ferm




25 May 2018






Read more

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we'll assume that you are happy to receive cookies. To find out more about the cookies we use and how to delete them, see our privacy policy.

  I accept cookies from this site.